ML20151T583

From kanterella
Revision as of 21:12, 24 October 2020 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Technical Evaluation Rept for Spds
ML20151T583
Person / Time
Site: Cooper Entergy icon.png
Issue date: 11/09/1987
From: Hansen W, Johnson W
LAWRENCE LIVERMORE NATIONAL LABORATORY
To:
NRC
Shared Package
ML20151T552 List:
References
UCID-21235, NUDOCS 8804290075
Download: ML20151T583 (48)
v  d  e


Text

. - - . - . . - . - . . .- . .. - -. _ _ _ _

ENCLOSURE 2 l' -

UCID-21235 t

TECHNICAL $ VALUATION REPORT FOR THE SAFETY PARAMETER DISPLAY SYSTEM FOR NEBRASKA PUBLIC POWER DISTRICT COOPER NUCLEAR STATION November 9, 1987 j W. Hansen (COMEX)

G. L. Jo5asr.a Lawrence Livermore National Laboratory for the

. United States Naclear Regulatory Coninission a

8804290075 8804 PDR ADOCK 050 p PDR

l CONTENTS 1

1. Background...........................................................
2. Sa f ety Paramet er Display Sy stem Des ign Overv iew. . . . . . . . . . . . . . . . . . . . . . 1
3. As sessment of the Verification and Validation Program. . . .. ... . . . . . . . . 3 3

3.1 System Requirements Review......................................

3.1.1 Discussion...............................................3 3.1.2 Evaluation............................................... 4 3.2 Design Verification Review...................................... 4 3.2.1 Discussion............................................... 5 6

3.2.2 Evaluation...............................................

3.3 V a l i d a t i o n Te s t i ng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.3.1 Discussion...............................................6 3.3.2 Evaluation...............................................8 3.4 Field Verification Tests........................................ 9 3.4.1 Dis:ussion...............................................9 3.d.? Evaluation...............................................9

4. A s s e s s me n t o f SP D S D e s i g n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.1 "The SPDS Shou ld Prov id e a Conc i se Di splay. . . " . . . . . . . . . . . . . . . . . 10 4.1.1 Discussion.............................................. 10 4.1.2 Evaluation.............................................. 10 4.2 "Tne SPDS Should. . . Display. . .Cr itical Plant Variables". . . . . . . . . 10 4.2.1 Discussion.............................................. 10 4.2.2 Evaluation.............................................. 11 4.3 "The SPDS Should... Aid Them (Operators) in Rapidly an: Reliaoly Determining the Safety Status of the Plant".......11 4.3.1 Discussion.............................................. 11 ac:21235t:12/18/87 -i-

J 4.3.2 E v a l u a t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.4 "The Principle Purpose and Function of the SPOS is to Aid the Control Room Personnel during Abnornal and Emergency Conditions in Determining the Safety Status of the Plant and in Assessing whether Abnornal Conditions Warrant Corrective Actions by Control Room Operators to Avo id a Deg ra d ed Co re " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.4.1 D i s c u s s i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.4.2 Evaluation.............................................. 16 4.5 "The SPOS (Shall Be) Located Convenient to the Control Room Operators"................................................ 16 4.5.1 D i s c u s s i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.5.2 E v a l u a t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 4.6 "The SPOS Shall Continuously Display Information from ,

Which the Safety Status of the Plant. . .Can be Assessed. . . ". . . ..17 4.6.1 Discussion.............................................. 17 l 4.6.2 Evaluation.............................................. 17 ,

. "The SPOS S*.all be Suitably Isolated from Electrical  !

or Electronic Interference with Equipment and Sensors ,

tha t a re in Use fo r Sa fety Sys tems ". . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 l 4.7.1 Discussion.............................................. 17 4.7.2 Evaluation.............................................. 18 4.S "Procedures which Describe the Timely and Correct  !

Safety Status Assessment when the SPOS is and is not l Available will be Developed by the Licensee in Parallel with tne SP05. Furtnermore, Operators Should be Trained to Respond to Accident Conditions both with and without

' n s $ P D S A n 3 i l a O l e " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.8.1 Discussion.............................................. 18 4.8.2 E v a l u a t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 ac:21235t:12/18/87 -ii-1

1 4.9 "The SPDS Display shall be Designed to Incorporate Accepted Human Factors Principles so that the Displayed Information can be Readily Perceived and Comprehended by S P D S U s e r s " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 4.9.1 Discussior...................................... 7....... 18 4.9.2 Evaluation.............................................. 19

5. S u mm a r y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 9
6. References.......................................................... 22
7. Attachments......................................................... 24 i

l i

at:21235t:12/18/87 -iii-l

l -

l.

r l 1

1. BACKGROUND -

NUREG-0660 [1, 2] identified the need for power reactor licensees and applicants for operating licenses to provide a Safety Parameter Display System (SPDS) that will display to operating personnel a minimum set of parameters which define the safety status of the plant. This need was confirmed by the Nuclear Regulatory Commission (NRC) in NUREG-0737 [3] and Supplement 1 to

. NUREG-0737 [4]. SPDS requirements in Supplement 1 to NUREG-0737 replaced those in earlier documents.

Included in Supplement 1 to NUREG-0737 is the requirement that the licensee or applicant prepare a written safety analysis for the SPDS and provide this analysis along with the plant specific SPDS implementation plan for NRC review. Criteria for evaluating Safety Parameter Display Systems are contained in Section 18.2 of NUREG-0800 [5], the Standard Review Plan. These criteria address both the review of a specific SPDS design and review of the applicant's or licensee's Verification and Validation (V8V) program, including.

the program for SPDS design, development, and testing. Results of the NRC evaluation of a SPDS will be documented in a Safety Evaluation Report (SER) or SER Supplement.

On March 1,1984, Nebraska Public Power District (NPPD) submitted SPDS de re-tati?- '~ NRC review. These materials included the Safety Analysis Report [6], the Verification and Validation Plan [7], and V&Y Implementation Plan [8]. These documents were examined by LLNL and the NRC staff prior to a licensee-requested Preirplementation Audit which was conducted on June 12-13, 1984. The report of this audit [9] states that in the view of the NRC staff, " ..if adequate information is provided (by Nebraska Public Power Cist-ict), the second phase of our review need not include a visit to the Cooper site but will be strictly a ' desk top' audit." Subsequent to the o-ele entatien Audit. NPPD submitted additional material #ich addressed tne V&V results, cescrioed tne SPDS displays, and provided results of the SPDS reliability analysis [10-18]. This Technical Evaluation Report (TER) provides Lacence Livermore Naticnal Laboratory's (LLNL's) evaluation of the Cooper Nuclear Station (CNS) SPDS with respect to the requirements of Supplement 1 to NUREG-0737, for NRC's use in preparing a Safety Evaluation Report. Our evaluation was based upon the review of all documentation described above.

2. SAFETY PARAMETER DISPLAY SYSTEM DESIGN OVERVIEW T*.e CNS SC is a suosystem of an integrated computer system called tne Plant Management Information System (PMIS). The PMIS is comprised of: (a) a 1 modular, intelligent, multiplexed, front-end data acquisition subsystem, (D)  !

re:undant preprocessors, (c) modern, high-speed, real-time, multi-user, multi-tasking Central Processor Units (CPUs) coupled with operator-interactive sof tware, and (d) color graphic display equipment. The SPDS display terminals interface with tne PMIS via rack-mounted modems. Therefore, the SPDS is '

I depetent on the PMIS data acquisition subsystem, preprocessors, and central processors, ac:21235:12/18/87 1

l To the extent practical, the SPOS utilizes available capabilities of the PMIS sof tware. Special software is needed for the foll.owing unique SPOS functions:

o Routines to support external (real) data points. l Calculation of current value.

Alarm / limit checking.

Assignment of quality code.

Interfacing with PMIS routines for updating the current value table, o Routines to drive displays or display features not supported by the PMIS .

display compiler. )

o Routines to support data validation features of the SPOS that supplement those performed by the PMIS.

The information presented to the control room operators on the SPOS is ,

structured into a three-level hierarchy of color graphic displays. The l primary pcetion of the level-1 display is the SPOS status area, which appears l across the tottom of the display and is found on all of the SPOS displays., I regardless of level. The status area is comprised of five color coded l

, rectangles. Each rectangle shows the status of one of the critical safety l functions: reactivity, core cooling, coolant system integrity, containment l

I integrity, or radioactive release.

The level-1 displays also include the following bar charts in the general and graphic display area located above the status area:

o Average power range monitor ( APRM, average).

o Reactor pressure vessel (RPV) pressure.

o RFi nater ie.el (narron- range), i o Drywell pressure (narrow range). l There are also two equipment status indicators and an emergency operating I procedure (EOP) limit status indicator on the level-1 display.

I The level-2 displays consist of bar charts, trend plots, and mimics (as I appropriate) to indicate the current value and trend of key variables related to each of tne level-1 critical safety functions. A variety of equipment status indicators and E0P limit status indicators are included on selected level-2 displays. There are 12 level-2 displays.

The leve' 3 displays consist of graphic phts that show the proximity of the plant to ultiple-parameter limit curves, or decision points that are specified in the plant E0Ps. There are 12 level-3 displays. Proximity to the limits determines the status (color) of the E0P status indicators on the level-1 and level-2 displays. Another important linkage among SPDS displays is a system alarm area in the upper right hand corner of all SPOS displays.

This displays a magenta "E" whenever any E0P status indicator is in a warning '

l or alarm state. It is blank when E0P status indicators are in a normal state. l l

In addition to the control room, the SPOS can be displayed in the Technical Support Center (TSC), and Emergency Operatioro Facility (EOF).

i ac:21235:12/18/87 . - ._ _

3. ASSESSMENT OF THE VERIFICATION AND VALICATION PROGRAM

' A Verification and Validation (Y&Y) Program is concerned with the process of specification, design, fabrication, testing, and installation associated For the SPOS, with an overall system's software, hardware, and operation.

verification is the review of the requirements to see that the right problem is being solved, review of the design to see that it meets the requirements, and testing of system modules to verify that they function properly.

Validation incitdes performance testing of the integrated system to see that it meets all requirements. Validation testing should not only include integrated testing of the hardware and software, but testing of the SPDS as part of the larger system for plant operations, which incitdes the control room, plant procedures, plant operators, and operator training. Supplement 1 to NUREG-0737 does not require that Verification and Validatnn of the SPOS be conducted. However, a V&V program performed by the applicant /?icensee during design, installation and implementation of an SPOS will facilita*.e the NRC review of the system. On the basis of an effective V&V program, the NRC staff will reduce the scope and detail of the technical audit of the design.

The renainder of this section presents LLNL's assessment of the CNS SPOS V&V program. The criteria for an effective V&V program, recomended by Section 18.2 of NUREG-0800 and by the Nuclear Safety Analysis Center in W : '2: 'f. : , , : : ut.d as the basis for this assessment.

?: SYSTEM REQU:REMENTS REVIEW The system reouirements are the foundation on which the completed system m;st De cesigneo, built, and accepted. Section 18.2 of NUREG-0800 recomends that a review of system requirements be conducted to determine that the SPOS

- ......, .r... <

p 3334 3 , 4 ,. ., gg g r30 3 3 93 ;33; , sy3 g. e j g_ ..,

review should inoependently determine if the requirements will result in a possible and usable solution to the entire problem, and should verify that the re;uirements are correct, complete, consistent, understancaole, feasible, testable, and traceable.

3.1.1 Discussion j l

Verification and Validation was perfomred by the SPDS vendor, Science A::1ications International Corporation (SAIC). The independence of the V&V team nas estaolisnes by using a SAIC group (SAIC-Lyncnburg) which was not involved in the design of the system, and an independent VSV subcontractor, Pied Piper Engineering.

Reference 6 discusses the methodology for performing the requirements review. Tne PMIS Statement of Work (50W) was used as the baseline for the review. The V&V team cross-referenced the requirements of NUREG-0737, Supplement 1, NUREG-0696, and other associated NRC documents with the 50W then revieaed them according to the following criteria, ac:21235:12/18/87 3-1 j

l 1

o Does each. originating requirement have a corresponding system requirement within the PMIS developer's scope of supply?

o Are the system requirements clearly defined and can they be implemented?

In the report of the Preimplementation Audit, the NRC staf f expressed a need for a summary of Verificatic.) and Validation discrepancies and resolution. This was provided by the licensee in the form of a final Verification and Validation report [10). This document indicates that the V&V team had difficulty in cross-referencing of system requirements with the 50W in accordance with the plan. In addition, the discrepancies found during the requirements review were not inserted through revision of the 50W before the comencement of design. This may have resulted in an increased number of discrepancies in this phase of the V&V.

After the first phase of the V&V requirements review, the V8V team issued fifteen reviewer coments (discrepancies). Ten of these were resolved through meetings with NPPD and the developer, SAIC-Huntsville. Five discrepancies were issued in the Systems Requirements Yerification Report, four of which were ultimately resolved.

There remains a disagreement between the NPPD and the V&V team on one item. This item concerns a perceived need by the V8V team for an overall

j:;s "nsalt " tr.itor to q;ickly inform the operators that the 5005 is inoperable. A display "box" indicating "SPDS Healthy" or "SPDS Not Healthy" was recomended. This suggested solution was rejected by NPPD because of the cc plexity of design requi ed and the adequacy of individual data "health" tags as the system is presently designed.

3.1.2 Evaluation Tne system requirements V&V conducted by the NPPD appears adequate.

However, the V&V team's concern that the operators know that the SPOS is operating properly needs to be more completely addressed. The trost significant concern is that the control room crew know that the data displayed is current and is being updated. The licensee should provide the NRC with inform 3 tion that describes how such information is provided, in a readily perceived fashion, by the CNS SPDS.

3.2 DESIGN VERIFICATION REVIEW Section 18.2 of NUREG-0800 recomends that a design verification revicw be performed after the system is initially designed to verify that the design will satisfy functional needs. NSAC/39 recomends that the design review ensure that the system requirements' decomposition into hardware and software is complete and that there are no ambiguities or deficiencies, ac :21235 :12/18/87 3.2.1 Discussion-Design verification was performed for both the software and hardware designs. The primary tool for the design verification was the Capabilities Matrix. Each system capability as determined from system design documentation was matched with a system requirement as developed during requirements-verification. Where there was no system capability for a system requirement, a discrepancy was noted. Design documentation was also checked fo-consistency and correctness.

The individual hardware components of the system are proven devices which are used by their manufacturers in many applications. The hardware design verification, therefore, was restricted to an evaluation of the integration of the individual components into a total working data system. The hardware design verification resulted in no recorded discrepancies. Reference 10 f states that five relatively minor comments were documented as reviewer comments.

l The software design verification concentrated on those areas related to the SPDS and the emergency response facilities. The first review of the l software design documentation resulted in 37 reviewer comments. A number of l

these were resolved by discussions, meetings, or additional docunentation. At t  :: ;':' ':  :' t5: s:ftware design verification, 20 discrepancy rep -ts were issued. Most of these were artifacts of design documentation not being in final form. With the issue of the final design documentation, all but l three discrepan:y reports were resolved.

Discrepancy number 11 states that the design documentation did not pro, ice a system si:ing, timing, and load analysis to demonstrate compliance witn requirements. The NPPD response to this V&V team discrepancy states that

- - '*"e e"'e syste- have de,enstrated adepuete CDU caperi.

under the heaviest load conditions. Another problem is slow display response time. The licensee's contractor, SAIC, is attempting to correct this problem 0; .4(ing tne SPD5 cisplays CPU memory resident. NPPD has also requested proposals to make data files for other application software CPU memory resi ent t: ' creve system response.

Dis:repancy number 12 states that the documentation of human factors cesi;- in the SPDS displays was not provided. During the Preimplementation Audit, tne NRC staff considered the human factors plan, as described, to be

ene ally ade
vate (with the exception of "functional validation").

Apparent b , tne 75,' team cio not finc occumentation which confirmed tne performance of a human factors review as described to the NRC Preimplementation Audit team. The NPPD position on this unresolved dincepancy is tnat SAIC is completing a human factors checklist review of the SPDS displays, and will issue a summary of their human factors activities regarding the SAIC human factors plan, implementation of it into the design, and the verification that the plan and guidelines were followed for PMIS/SPDS displays, at:21235:12/18/87 . .

Discrepancy number 14 states that there is insufficient documentation co describe the logic behind SPDS display linkage. The V&V team feels that t1e SPDS display linkage is important and should be reviewed by operations personnel who are familiar with the E0Ps. The NPPD response to this discrepancy states that operators familiar with the E0Ps have reviewed ',he linkage logic and that changes have been made. The contractor, SAIC, r,id provide a hierarchical 'inkage method based on BWR owners group levels-1, -2, and -3 displays which NPPD will continue to monitor and change if required.

3.2.2 Evaluation The methodology utilized for the hardware and so'ftware design verification appears to be adequate. We cannot judge the adequacy of NPPD's implementation of this methodology until the following discrepancies noted by the V&V team are resolved:

o Discrepancy fil: This discrepancy implies that display call-up time is excessive. NPPD :hould specify design goals for system response based on operational requirements, then modify the SPDS system as necessary to achieve these goals. NPPD should submit, for NRC review, a description of the system response time goals, the basis for these goals, and discussion of the process fcr ensuring these goals have been, or will be, met. Ir defining these operational requirements, NPPD should take into account the operational demands on the SPDS during a severe accident. During a major event, it can be expected that all SPDS terminals will be operating; heavy demands will simultaneously be placed on the central processor from all these locations, o Discrepancy #12: NPPD should provide documentation, for NRC staff revies, which verifies that the human factors plan, as described during the iu 1, r..;.. . . . . ;n A.d it , wa s f:ll c we d .

o Discrepancy #14: LLNL was unable to determine the V&V team's precise concern on the linkage question. The response by NPPD was also not understocc. NPPD should provide NRC with additional information clarifying the intent and resolution of this discrepancy.

3.3 VALIDATION TESTING NUREG-0800, Section 18.2 recommends that validation testing be performed a#ter the system is assembled to confirm that the operating system satisfies functional neeos.

3.3.1 Discussion A validation / field installation verification test report [11] describes the accomplishment of this portion of the V&V, which was based on the V&V Plan.

ac :21235 :12 /18/87  ! .

l t ,

The first phase of the validation testing program was conducted in conjunction with the Factory Acceptance Test (FAT) program. Following these tests, there were a number of unresolved areas concerning the system test and test methodology. Because these issues were not resolved prior to the beginning of the site acceptance testing (SAT), the validation concerns were addrossed during sita acceptance testing. The following activities were performed by the V&V team:

o The SAT test results were analyzed. In some cases the site testing resolved concerns esttblished during factory testing.

o At Cooper Nuclear Station, the V&V team observed testing, interviewed responsible NPPD individuals, and examined test documentation to evaluate installation tests and problem reporting resolution techniques, o The V&Y team conducted tests at the plant to establish SPDS performance and conformance to design documentation.

o The V&V activity was documented and problems were reported in the form of reviewer comments, discrepancy reports, or site oroblem reports.

o All open problems were presented.to the SAIC developers for resolution.

The V&V Plan assumed that the problems found during the validation performed at the factory would be corrected prior to the start of the site tests, and that all that would be required at the site would be a verification

">' '"t r evicer'y vz'idated syste was properly installed at the site.  !-

reality, however, the V&V Plan was not followeo, in that validation activities as well as installation verification were completed in parallel at the site.

Validation tests associated with the Factory Acceptance Tests identified 19 recommended additional validation tests, 21 unresolved reviewer comments, an 4 unresoi,e: an; 1 resolve discrepancy reports. As a result of continued testing at the site, all but one of the reviewer comments and discrepancy

-e-- *- < e .- -py;1yp s N- -o, die -"eD*ncies were identi'ied bv the sit e tests.

The one unresolved discrepancy concerned the system load test. The V&V team indicated that no load test was conducted or the as-installed system unde realistic heavy load conditions. The V&V team recommended continued system monitoring to evaluate the system response under plant upset and transient conditions. It is the NPPD position that a controlled heavy load test can not be realistically perforced on the installed system with the data acquisition system connected to sensors throughout the plant. They concur with the recommendation to continue to monitor system response. They also p; int ;;t tnat curing a plant scram in Feoruary of 1986, the PMIS capture:

transient scram data and proved invaluable in analyzing the sequence of events that occurred.

During the Preimplementation Audit, the comment was made that NPPD may have underemphasized functional validation. Functional validation is a key ele ent of any V&V program. The NRC staff displayed concern that the program did not provide for full system validation--the testing of all elenents of the system (hardware, software, training, procedures / manuals, and operators). The ac :21235 :12 /18/87 1

9 NRC strongly recommended that some measure of system effectiveness, such as man-in-the-loop testing, be done to assure that the SPDS provides appropriate information to the operators in a readily-perceivable and non-misleading form.

In response to this comment, NPPD performed a man-in-the loop test

[12]. This test was developed to serve as an additional check to ensure a smooth integration of the SPDS with the rest of the control room environment, the emergency operating procedures, and the training of control room personnel.

The man-in-the-loop tests were conducted in the TSC using a taped scenario wh.ich was fed into an SPDS monitor. Five operating crews participated. Operators responded to questionnaire items concerning usefulness of displays and observed deficiencies and recommendations for improvement. Five sets of questionncires were obtained, although not all crews reviewed all displays. The transient selected was a loss of coolant accident which involved loss of feedwater flow, reactor core isolation cooling trip, high radiation in reactor building, turbine bypass valves fail shut, core spray trip, residual heat removal trip, and loss of coolant due to a recirculation pump suction line break. The responses to the quest'ionnaire were quantified, then reviewed by SAIC human factors personnel.

NDDD rero ted that the 'i9 dings of the tests were quite positive. No serious deficiencies were observed in the system. The majority of connents and recommendations suggested minor enhancements which are being evaluated.

The statistics obtained from the evaluated questionnaires support these conclusions. Detailed comments and recommendations by the operating crew personnel were not p ovided in the test report. Therefore, their disposition was not a.ailable for LLNL review.

Nr in'ce etic 9 ca the operator training program, or procedures which illustrate the use of the SPDS in the control room, SPOS instruction manuals, or copies of the E0Ps, was included in the material provided for review.

3.3.2 Evaluation Except for the cecisisn not to perform an as-installed syctem load test, NPPD's validation process has fulfilled the intent of the NUREG-0800 recommendations. Tne lack of a discussion of the nature of operator comments resultinc from man-in-the-loop testing also inhibited our reviow of the ir.ple entation of tnis pertion of the validation testing.

To allow an unequivocal conclusion regarding the validation program, NPPO should:

o Conduct load testing to verify system response time does not unacceptably degrade under decand conditions expected a fter an accident, and provide for NRC review a discussion of this testing and the results, o Provide NRC with a description of operator responses and comments obtained from man-in-the-loop testing, and provide a discussion of the resolution ac:21235:12/18/87  !

I i

l

of any negative responses or comments that were obtained.

o Provide training plans and SPOS operating manuals for NRC review.

Because the man-in-the-loop validation testing was not conducted in the control room or in a plant simulator, it did not provide the best possible test of the integration of the SPDS with the rest of the control room environment, the emergency operating procedures, and training of control room personnel. Therefore, if the CNS plans to install a simulator, it is suggested that additional functional validation tests be conducted to fully evaluate the SPDS in the control room environnent. These simulator-based functional validation tests should include a severe accident scenario.

3.4 FIELD VERIFICATION TESTS NUREG-0300, Section 18.2 recommends performance of field verification tests, once the system is installed, to verify that the validated system was installed properly. NSAC/39 recommends that, as a minimum, field verification testing should confirm that the information displayed is directly correlated with the sensor data being input.

,y .

The V&V team determined that NPPD performed a very thorough wiring check durin; the installation of the data acquisition system. In addition, NPr0 planned an SPDS/ control board comparison study to ensure correct installation through the SPOS displays. The V&V team considered these two actions suf f ic ier. for fiele installation verification. The documentation provided for review does not contain a test plan or procedure for the SPOS/ control )

m. . .- ...: . e. m . n. the results of any comparison which may have bee-Cor. ducted.

3.4.2 Evaluation LLNL could not reach a conclusion regarding the adequacy of the field verfication tests. Tne licensee should provice the NRC with the test plan and cro edure for the control board comparison study, the results of the test, and the disposition of any discrepant items.

4 ASSESSMENT OF SPDS DESIGN ine folio.ving se:tions present a discussion of the CNS SPDS design, and LLNL's assessment of this design, with respect to the requirements of Supplement 1 to NUREG-0737 and the review criteria of NUREG-0800, Se: tion 18.2, at:21235:12/18/87 4.1 "THE SPDS SHOULD PROVIDE A CONCISE DISPLAY ..."

4.1.1 Discussion The level-1 display presents the current status of the critical safety functions in the form of five rectangular boxes (safety function indicators--

SFis) which change color to display to the operator a change in status. These status boxes are repeated on all SPDS displays. During normal power operation, all SFIs will be green. An SFI block will change to display yellow (warning condition), red (alarm condition), or magenta (data validation problem). The level-2 and -3 displays present successive levels of detail.

The man-in-the-loop test, per formed in the V&V program, indicated that 92 percent of the operations personnel responses to display design were positive. No displays were rated as providing too much information.

The NRC staff found no problems with the intended design of the SPDS displays during its Preimplementation Audit.

4.1.2 Evaluation The NPPD SPDS satisfies this requirement of HUREG-0737, Supple. tent 1.

4.2 "THE SPDS SHOULD ... DISPLAY . .. CRITICAL PLANT VARIABLES" 4.2.1 Discussion Tne SPDS uses plant variaDies available on the PMIS. The SPDS Safety Analysis Report (SAR) identified the planned SPDS parameters and presented NPPD's rationale for parameter selection. The Preimplementation Audit report provided the NRC staff's preliminary conclusion that the five critical safety functions in NUREG-0737, Supplement I were adequately addressed, and that the proposed list of parameters was tentatively acceptable for the stated purpose. It was noted that the proposed list of plant variables had not been finali:ed, and that the list contained variables identified as possible future accitions to the SPDS. The NRC staff commented that the final list should also reflect anticioated revisions to the Boiling Water Reactor Owners Group (5 'ROG; Emergency Frocecures G;idelines (EPGs), to the extent that tne information is available. The NRC staff also stated that NRC review would be based on the finalized list of parameters to be available on the CNS SPDS. i NRC requested that the licensee submit a finalized list of parameters as well as a discussion of the rationale for any deletions and/or additions to the pecposed parameter set, j l

Reference 14 presents a finalized list of SPDS parameters as well as a i discussion of the rationale for any deletions and/or additions to the parameter set proposed in tne SAR.

ac:21235:12/16/87 I l

Attachment 1 is Table 1 from Reference 14, which presents the field input points for generating CNS displays. Attachment 1 also indicates those points which were added since the publication of the SAR. Attachment 2 is Table 3-1 from Reference 14, which is a summary of all field and composed data points.

Attachment 3 is Table 2 from Reference 14, which is a summary of variables listed in the SPDS SAR that were not implemented in the final CNS SPDS configuration. Attachnent 3 also indicates the reason for deleting each variable from the list presented in the SAR.

The additional variables, which were added to the 'SPDS since the publication of the SAR, are used to provide the ability to perform needed calculations, or an expanded status indication capability for key equipment.

The primary reasons for deleting most of the variables are that the data wera not required, adequate substitute data were available, or the variable was not available on the PMIS, Several secondary containment variables were not implemented in the SPDS because they were not available in the PMIS.

i I

4.2.2 Evaluation The CNS SPDS parameter selection meets the requirements of Supplement 1 to NUREG-0737. Figure 8-1 of Reference 15 indicates that the Intermediate

'. ,. ": '.  ; ':r":,' er:lusively eenitor power / flux between .001 and 1 percent power. LLNL concurs with NPPD's contention that this lack of overlap between the Source Range Monitors (SRMs) and APRMs does not justify the i cc ;1 exit;. a ,d expense of incorporating the IRMs into the CNS SPDS.

4.3 "TnE SPDS SHDULD ... AID THEM (OPERATORS) IN RAPIDLY AND RELI ABLY DETERMINING THE SAFETY STATUS OF THE PLANT" 4.3.1 Discussion The information provided for review does not explicitly specify the data rates O' individual parameters or calculated points, or the time required for However, a review of tne tne 5:05 ; provide a display requested by the user.

validation test report gives an indication of problems with the SPDS display resp nse time. "During the V&V visit... SPDS response times from one SPDS display to the next requested SPDS display were taking longer than the There soe:4fie: time cf 3 seconds. The minimum time measured was 5 seconds.

were some cases wnere tne measured times were ten seconds cr longer...."

Reference 10 indicates the licensee's attempt to improve response time by making the SPDS displays CPU memory resident.

No descriptive material was provided to illustrate the use of the keyboard to call the various SPDS displays. A picture was included which indicates tnat the 1st and 2nd level displays can be called by a single keystroke. However, the discrepancy above, which relates to the display response time, indicates some human engineering problems with the keyboard, ac:21235:12/18/87

...when you start with the SPDS OVERVIEW display and use the arrow keys to page several displays away from the overview display, you must first use a function key for any other display, then use the function key for the overview display to return to that display. The other case is to request to see a point value. The cancel key must first be depressed before the next SPDS display can be requested" (10). -

The method used for data quality validation is limit checking, supplemented by redundant sensor checking when more than one sensor is available. Each time a field input point is sampled by the PMIS, a data quality code is appended to the current value. There are 19 such data quality codes. Attachment 4, Table 2-1 to Reference 15 shows the 19 quality codes and the default color associated with each code, and sumarizes the use of each appended code in subsequent calculations. Calculated data point quality codes are determined by the worst quality code of any of the inputs. To the extent practical, the SPDS calculations are performed using "healthy" data. The SPDS generally uses the PMIS default color assignments listed. in Attachment 4. A SPDS bar chart will have a green color fill wher. the associated data point has a quality code of GOOD or INHB. The bar color becomes yellow when the quality code is LWRN or HWRN (i.e. , the current value is' in the warning zone), and becomes red when the quality code is LALM or HALM (i.e., the current value is in an alarm zone). Displays asseciated with invalid data are color coded m5;en t. Eneptions to this methodology are that all pump and valve cperatin; status indications follow existing control board convention (red On/Open, green Off/ Closed), and all rate-of-change data are displayed in cyan.

We noted that the algorithms for display of RPV water level do not dynamically take into account the effects of high temperature adverse containment environment conditions. The displays involved are the level-1 RPV water level bar chart, the level-? RPV water level mimic, the level-3 RPV

a m i, n..' ...... n . . , .M t'.c
:re :::li*.; szfctj functior ir.ti:it:-

which appears on all SPDS displays.

Incication tnat the RPV level reading may be invalid due to adverse containment environment is provided to the operator through the use of a E0P status indicator (EOPSI). The E0 PSI is generated by a level-3 algoritnm and  ;

is shown on related level-1 and -2 displays. The indicator is titled RPV <

saturation limit. It will either be green if the containment temperature /

reactor pressure relationship is below the saturation curve and below the )

engineering limit (400 degrees F) of the containment temperature detector, ma;enta i' tne containment temperature is above 400 degrees F, or red if the saturation conditions are reached below 400 degrees. As stated above, tnese colors do not propagate through to the RPV level displays. In formation regarding how the operator should realize that a red or magenta E0 PSI ,

incicates invalid or questionable SPDS RPV level information was not I available. In addition, the coie cooling SFI appears on displays in which the l RPV saturation limit E0 PSI is not displayed. The E0 PSI uses the "Healthy '

Maximum" of five containment temperatures in its calcolations, a c :21235:12 /18 /87 . .

The Preimplementation Audit report notes that the method of "analytical redundancy", the comparison of a data point with a calculated expected value, T'le NRC audit team further is not used as a method of data validation. These descriptors might be comented on the use of the 19 data oescriptors.

providing a level of detail which is beyond the requirements of the operater. The audit team recommended that the human factors review of the SPDS include consideration of the effectivenets of the proposed display techniques for data quality codes.

The PMIS includes data acquisition hardware, computer system hardware, and display /hardcopy hardware. The data acquisition hardware consists of Data from each are multiplexers in five locations throughout the plant.

routed via separate fiber optic data links to redundant data concentrators in the computer room. Each multiplexer at each plant location consists of one or more multiplexer cabinets. The data concentrator is a high performance microprocessor subsystem which receives, decodes, and buffers the data collected from up to ten multiplexer data links. Two The data concentrater then stores the data for use by the host computers. data concentrator Each data tuncentrator svDaystems provide a high degree of system redundancy.

subsystem comunicates with each multiplexer via a high speed fiber optic link.

A umpeter sjsten. ccnsists of two Digital Equipmea.t Ccmpany (DEC VAX 11/780 fully redundant computers. They are configured in a hardware cluster with dual-ported disk units, a comunications line switch, and a varie*.j of peripherals.

The display subsystem consists of color-graphic display units mounted in consoles located in the control room, Technical Support Center, and the Five display units are located in the Emergency Operations.Facilityt.~;t console.t's 4- reacte- crc-e W 's censM e, M k the c....rn c.

balance of plant console (one in a turret and one fixed), and two fixed in tne engineering console. The comunication link to the various displays and cnaracter printers located in the con,puter room is via direct RS-232 cables and limited distance modems.

0; ring tne Preimplementation Audit, the NRC staff requested that the licensee submit a sumary of SPDS reliability. SAIC conducted two evaluations of SC S reliability- a qualitative failure made and effects analysis, and a The purpose of the quantitative

't reliability block diagram analysis [16).'re .Tde and effects an of tne PMIS by analyzing the effects of particular failure modes on the PMIS. This analysis was conducted on a nodule-by-module basis from the data acquisition section of the PMIS, through the data processing section, and finally to the data display / recording system. The failure mode and effects The analysis indicates that the PMIS and SPDS are highly fault tolerant.

relia 3111ty block diagram analysis showed that the PMIS Thehardware provides control room a display control room system availability of 99.80 percent. l system power supply has an availability of 99.83 percent, and the series  ;

evailability of the control room system and power supply is 99.63 percent. I l

at :21235 :12 /18 /87

)

1

To further evaluate the reliability of the SPDS, the Preimplementation Audit team also requested the results of the 1000 hour0.0116 days <br />0.278 hours <br />0.00165 weeks <br />3.805e-4 months <br /> availability test.

Tnis was provided in Reference 17. The total run time of the availability test was 1005.73 hours8.449074e-4 days <br />0.0203 hours <br />1.207011e-4 weeks <br />2.77765e-5 months <br />. This includes 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> 11 minutes of accumulated hold time and 33 minutes of accumulated outage time. The system availability test demonstrated an availability of 99.945 percent. A review of the test indicates it was conducted in accordance with the guidelines of the "Specific Rules For The Availability Test" as set forth in the test plan. All SAIC-supplied spare parts had been delivered at the time of the test, but none were required during the test. Digital Equipment Company provided two disk packs under a maintenance agreement.

In its report of the Preimplementation Audit, the NRC staff also requested that the licensee submit a commitment to provide a highly reliable power supply system for the SPDS, and a discussion of the power supply system in terms of its impact on total SPOS system reliability. This was provided by NPPD in Reference 18. This document provides mean time between failure (MTBF) estimates for each of the power supplies to the PMIS equipment through the unin'erruptable power supply system. The approach was to use site-specific data whenever available. When site-specific data were not available, ger.eric data were used. Whenever possible, actual system reliability data were utilized, rather than computed reliability estimates. Approximation methods ce used rathe- than a rigerous analysis requiring computer techniques.

LLNL's review of Reference 18 showed the calculational techniques to be eescnable and the assu~ptions conservative. The Mean Time BetwEen Failures of the power supply system to the PMIS was determined to be 8.4 years.

It was not possible to determine the methods of preventing unauthori:ec changes, either inadvertent or deliberate, in the SPOS software system from

'u i m - w " p vided for review.

A discussion of the operator's ability to determine if the SPDS system is operating is fo;nd in the V&V section of this report, paragraphs 3.1.1 and 3.1.2.

4.3.2 Evaluation Tne NPPD S?DS will fulfill the requirements of Supplement 1 to NUREG-0737 with respect to a rapid and reliable SPOS if the following items are sa w a;torily resolved, o NPPO should determine the operational requirements for display response tires, establish design goals based on these requirements, and modify the 4 SPLS to achieve tnese geals. These requirements should reflect the I expected heavy demands on the system during an accident. '

o NPPD should review the human factors analysis of the keyboard design to determine if the SPDS displays are accessible to the operators through a logical and minimal number of steps.

ac:21235:12/18/87 i

~

o NPPD should verify that the operators can recognize that a magenta or red RPV saturation limit EPOSI indicates invalid or suspect-level information is being displayed.

o NPPD should verify that the operotors will be aware that the core cooling SFl is presenting invalid or suspact-information when the SPDS is on a display which does not have the RPV saturation limit EPOSI, and that indicator is magenta or red.

o NPPD should ensure that adequate procedures, maintenance manuals, and spares for the SPDS are provided, o NPPD should provide for NRC review its procedures for preventing the entry of unauthorized data or changes into the SPDS.

NPPD's actions on the above items should be described to NRC for review.

LLNL also suggests that NPPD consider the use of analytic redundancy as a method of data validation for points which have r.o redundant values with which to make a comparison.

LLNL considers the use of 19 quality codes in the context of the CNS SPDS design not to be excessive. Only nine of the codes are concerned with "healthy" or "not healthy" data. The display graphic fill colors are the important indicators to the operator, and these have been selected to provide t c crc-M:- /t' use fui data on the status of the plant. In addition, the 19 quality codes can provide useful trouble shooting information when time permits.

The aeditional information provided by NPPD on the reliability of the SPDS and its power supply and the resuits of the 1000 hour0.0116 days <br />0.278 hours <br />0.00165 weeks <br />3.805e-4 months <br /> test indicate that tne SPDS is a reliaDie system for its intended use.

4.4 "THE PRIN;1PLE PURPOSE AND FUNCTION OF THE SPDS IS TO AID THE CONTROL ROOM PERSONNEL DURING ABNORMAL AND EMERGENCY CONDITIONS IN DETERMINING THE SAFEit ST AT'JS OF THE PLANT AN'> '- 4:.SSING WHETHER ABNORMAL CONDITIONS WARRANT CORRECTIVE ACTIONS BY No.1L a 00M OPERxTORS TO AY010 A DEGRADED CORE" 4.4.1 Discussion Tne NPPD has chosen to accomplish this requirement with concise displays 4 I

related to the critical safety functions identified in Supplement I to )

NUREG-Z L , inese f.nctions are:

e Reactivity control, o Reactor ccre cooling and heat removal from the primary system, o Reactor coolant system irtegrity. 1 o Containment conditions.

o Radioactivity control, ac :21235 :12/18 /87 t

An additional purpose of the SPDS is to support the implementation of symptom-oriented E0Pc developed from the BWROG EPGs.

The design overview, section 2 of this TER, presents the general design of the SPDS and hence will not be repeated in this discussion. The documentation provided indicates that the NPPD has utilized inform 1 tion from the BWROG and the designs of other similar BWR plants (for example, Detroit Edison's Fermi, Unit 2 power plant) to develop its SPDS.

During the man-in-the-loop-test, the crews were asked to evaluate the inforcation provided in the displays in terms of being directly useable versus requiring transformation. In every case, information was determined to be directly useable by the majority of responding crews. Overall, approximately 88 percent of all crew responses were favorable. Crews were also asked to evaluate displays in terms of how well they related to the new symptom-oriented E0Ps. Approximately 70 percent of the displays were rated as being related to the E0Ps. The remaining 30 percent were rated as being somewhat related by the majority of the responding crews. There were three instances in which a single crew (out of five) did not feel the display was related to the E0Ps.

Operators were also asked to rate the usefulness of the displays on a scoie f r on, ' cetrimer.ta i" tc "ve rj use ful". Taenty-three of the twenty-four displays were rated as 'useful" by the majority of responding crews. One display was rated as "not useful," and there were no displays : ated as being "c e:r imenta i . "

4.4.2 Evaluation P. 05: 27~:. .' ; ;.t'..'ic. tr.i; c;.iremer. of Su;;1ement I tc l NURE G-07 37.

I i

4.5 "THE SPDS (SHALL BE) LOCATED CONVENIENT TO THE CONTROL ROOM OPERATORS" 4.5.1 Discussion No information was provided regarding the location of the SPDS terminals within the control room. This review was scheduled to be conducted as part of Detailed Control Room Design Review (DCRDR). The NR;'s SER for the DCRDR [20; requested that the results of this review be provided in a Supplemental Sum?.ary Report. This supplemental report was not available for review during the preparation of this TER.

The locations of the terminals capable of displaying the SPDS in the control room are discussed in paragraph 4.3.1. of this report. There are sufficient terminals such that they should be readily available to the control room staf f. ,

at :21235 :12 /18 /87 .

There is no designated primary user of the SP05. Users include the reactor operator, the shift supervisor, and the shift technical advisor.

4.5.2 Evaluation The Cooper SPDS will meet the requirements of Supplement 1 to NUREG-0737 in this area, if NPPD satisfactorily completes the human factors review of the placement of the SPDS terminals in the CNS control room and corrects discrepancies found by the review.

l It is recomended that a primary user of the SPDS during emergency situations be designated, or that the use of the SPDS be sufficiently spelled out in procedures such that it will not be ignored in an emergency.

4.6 "THE SPDS SHALL CONTINUOUSLY DISPLAY INFORMATION FROM WHICH THE SAFETY STATUS OF THE PLANT .. . CAN BE ASSESSED . . ."

4.6.1 Discussion n- -r v e u +, a the Sons, the redundancy of its coSponents, and the fail-over design of the CPUs indicate the SPDS's ability to provide safety status information to the operating crew. The safety function indicators aopee on all SDDS displays. We could not determine, however, if the safety j f anction in:'icators appear on all displays that may be called up on control i' room PMIS terminals. Furthermore, no information was contained in the coce.em praice; for review concerning the operating procedures for PM*S that ensure the safety function indicators are continously displayed.

4.6.2 Evaluation We could not determine that this requirement of Supplement I to N 3 EG-0737 has teen re*, NPPD should provide additional information as to its l j

me: nod of assuring that the SPDS will enntinuously display information from which the safety status of the plant can be assessed. l l

4.7 "THE SDDS SHf LL BE SUITABLY ISOLATED FROM ELECTRICAL OR ELECTRONIC

NTERFEREN;E w;Tn EL;PMEN! AND SENSORS THAT ARE IN USE FOR SAFETY SYSTEMS" l 4.7.1 C4s
ussion At the time of the Preimplementation Audit, the acceptance criteria, test procedures, and test results fce the isolation devices were incomplete. The NRC staff requested tnat, in order to complete its review of e'lectrical and ele:tronic isolation of the SPDS from safety systems, the licensee submit the certification report being prepared by Computer Products Incorporated (CPI),

ac:21;H:12/;S/S7 This report [21] discusses the acceptance criteria, testing procedures used to certify proper isolation, and the results of that testing. The NRC s ta f f reviewed this document and prepared a Safety Evaluation Report, Refer-ence 22. This SER document contains the following statement: "Based on our review and the information provided, we conclude that the isolators are qualified isolation devices and are acceptable for interfacing the SPDS with sa fety systens."

4.7.2 Evaluation The evaluation of this requirement was not within the scope of this TER. However, the referenced document indicates that the NPPD SPDS fully meets this requirement of Supplement 1 to NUREG-0737.

4.8 "PROCEDURES WHICH DESCRIBE THE TIMELY AND CORRECT SAFETY STATUS ASSESSMENT WHEN THE SPDS IS AND IS NOT AVAILABLE WILL BE DEVELOPED BY THE LICENSEE IN PARALLEL WITH THE SPDS. FURTHERMORE, OPERATORS SHOULD BE TRAINED TO RESPOND TO ACCIDENT CONDITIONS BOTH WITH AND WITHOUT THE SPDS AVAILABLE'

'E.

. DS:.-'~

No information regarding the licensee's training program and procedures c;verin; this re:.irement of Supplement 1 to NUREG-0737 was provided.

4.E.2 Evaivation e

....,,,t..., ifee7 3 3ere ,.4 8 ,9spect ;; *$q re u4re,9-t 3<

Supplement I to NUREG 0737. The licensee should submit a description of its training program and procedures covering this requirement of Supplement 1 to NUREG-0737 for NRC revie .

4.9 "THE SPDS DISPLAY SHALL BE DESIGNED TO INCORPORATE ACCEPTED HUMAN FACTORS PRINCIPLES 50 THAT THE DISPLAYED INFORMATION CAN BE READILY PERCEIVED AND COvDREWENDED BY SPDS USERS" 4.'.1 Discussion At the Preimplementation Audit, NRC reviewed the human factors plan as presented by the licensee. The NRC concluded that if the functional valldation phase was expanded to include man-in-the-loop testing, the proposed human factors program would be acceptable. In addition, the licensee was requested to provide large color photographs of: 1) all FMIS pages that are derined as SPDS displays, and 2) all unique display / control hardware i interfaces with written descriptions where the displays are not self- '

l ac :21235:12/1B/87 -

18 -

evident. The photographs were provided [23]. The descriptions were provided as Reference 15.

LLNL noted during the Preimplementation Audit that V&V documentation of the human factors program could not be located. NPPD indicated that SAIC was in the process of documenting the human factors review.

Examination of the photographs of the SPDS displays identified several minor human factors discrepancies. In general, however, the design of the displays in the CNS SPDS conform to accepted huren factors principles. The minor items include the use of small-stroke width black-on-red letters on the safety function indicator boxes, most recent tire data on the right side of the trend plots with the scale on the opposite vertical axis (on the left),

and the mixing of "green board" philosophy of display with "plant convention" philosophy of display (red for valve open/ breaker closed, green for valve closed / breaker open).

4.9.2 Evaluation NPPD appears to have incorporated accepted human factors principles into SPDS display designs. However, we could not determine if the human factors

-
;-t- de::-iccf t the NRC Preimple entation Audit team has been acceptat (

completed. Therefore, we could not conclude that this requirement of Supplement 1 to NUREG-0737 has been completely satisfied.

Tne licensee should provide the NRC with documented evidence of the completion of a human factors program for the SPDS displays and controls, and the placement of tne SPDS CRTs in the control room in order to satisfy tnis requirement of Supplement 1 to NUREG-0737.

5. SUM 4ARY The Cooper Nuclear Station SPDS will aid the CNS control room personnel in determinin; the safety status of the plant during abnorrel and emergency conditions, and in assessing whether abnormal conditions warrant corrective actions by operators, to avoid a degraded core. The SPDS will accomplish its purpcse by providin; control room personnel with concise displays related to the critical safety functions as specified in Supplement 1 to NUREG-0737.

H0eeve , there are several actions which NPPD should take in order to assure

ne NR; tna; tne SPDS completely fulfills tne requirements of Supplement 1 to NUREG-0737. These actions are sumnarized as follows:

o Tne licensee should provide the NRC with information that indicates how the SPDS user verifies that the data displayed on the CNS SPDS is current and is being updated, o NPPD should provide documentation for the NRC's review which verifies that the human factors plan as described during the Preimplementation Audit was followed.

ac:21235:12/18/87 -. _ _ _

4 o NPPD should determine the operational requirements for display response times, establish design goals based on these requirements, and modify the SPDS as necessary to achieve these goals. The operational requirements i should incorporate the system demand during severe accident conditions with all SPDS consoles operating.

o NPPD should review the human factors analysis of the keyboard design to determine if the SPDS displays are accessible to the operators through a logical and minimal sequence of steps.

o NPPD should provide the NRC with a description of operator responses and comments resulting from the man-in-the-loop testing and a discussion of l the resolution of any negative comments received. j o NPPD should complete an as-installed system load test and provide, for the  !

NRC's review, a discussion of the test procedure and test results.

o NPPD should provide the NRC with its procedures for preventing the entry of unauthorized data or changes into the SPDS.

o NPPD should assure the NRC that maintenance manuals for the SPDS are prepared and are available to the operators. Spare part usage should also be monitored and changes made as necessary to ensure that proper and adequate spares are maintained at CNS.

o NPPD should provide the NRC with documented evidence of the completion of i 1

a human factors program for the SPDS displays and the placement of the SDDS CRTs in the control room, i o hPPD snoulc submit its proce::ures which describe the timely and corre:t )

safety status assessment when the SPDS is and is not available. NPPD should also submit its training program which indicates how the operators l are trained to responc to accident cc.1ditions both with and without the SPDS available.

Training plans and SDDS operating manuals should be provided to the NRC by NPPD.

o NPPD should provide the NRC with information describing how it ensures l i n a . u .e w e c us: > : s ic.e a magenta or red RPV satursti:n li-it re m with invalid or suspect-level information.

NDDD should inform the NRC how the operator knows if the core cooling SFI

~

is presenting invalid or suspect-information when the SPDS is on a display l which does not have the RPV saturation limit E0 PSI.

o NPPD snould provide additional information as to its method of assuring that tne .SPDS will continuously display information from which the plant i safety status can be assessed.

o NPPD snould provide, for the NRC's review, the test plan and pr0:edure fur I the SPDS/ control board comparison study, the results of the test, and the cisp siticr. of dis:repa .t items.

The following actions, that do not directly affect the SPDS compliance aith regulatory requirements, are suggested to NPPD to improve the CNS SPDS:

o It is recommended that when a plant simulator is available, additional ,

functional validation tests of the SPDS be conducted to fully evaluate the SPDS in the control room environment. These simulator-based functional validation tests should include a severe accident scenario.

5::2 235:12/18/87 _ _ - _ _ _ _ _ _ _ _ _

o NPPD should consider the use of analytic redundancy as a method of data validation for points which have no redundant values with which to make a comparison.

o it is recommended that a primary user of the SPDS during emergency situations be designated, or that the use of the SPDS be sufficiently specified in procedures such that it will not be ignored in an emergency.

?

J I

i ac:21235:12/18/87 l l

1

~

6. REFERENCES
1. U. S. Nuclear Regulatory Conunission, "NRC Action Plan Developed as a Resu' the THI-2 Accident," Washington, DC, NUREG-0660, Rev. 0 (May . ;80 ) .
2. V. S. Nuclear Regulatory Commission, "NRC Action Plan Developed as a Result of the TMI-2 Accident," Washington, DC, NUREG-0660, Rev.1 (August 1980).
3. U. S. Nuclear Regulatory Commission, "Clarification of TMI Action Plan Requirements," Washington, DC, NUREG-0737 (November 1980).
4. U. S. Nucisar Regulatory Commission, "Clarification of TMI Action Plan Requirements," Washington, DC, Supplement 1 to NUREG-0737 (December 1982).
5. U. S. Nuclear Regulatory Commission, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Washington, DC, NUREG-0800, Section 18.2, Rev. 0 (November 1984).
. ~: ic :: A;;1ications Inco porated, "Nebraska Public Pcwer District, Plant Management Information System, Cooper Nuclear Station, Safety Parameter Display System, Safety Analysis," Huntsville, AL, 503-8500000-76 (March 1, 1924).

.7. Science Applications Incorporated, "Nebraska Public Power District, Plant Management Information System, Cooper Nuclear Station, Verification and Validation Plan," Huntsville, AL, SAI-84/1525-264, Revision 0

vy
. ,, c- -
8. Schnee Applications Incorporated, "Nebraska Public Power District, Plant Management Information System, Cooper Nuclear Station, Safety Parameter Display fystem, Implementation Plan," Hun;sville, AL, 503-8500000-27, Revisi:n 3 (Maren 1, 1934).
9. D. B. Vassalio (NRC) to J. M. Pilant (NPPD), "

Subject:

Safety Parameter Display System (SPDS)--Preimplementation Audit," letter (August 3,1984).

10. Sc tence Aeolicatici.s International Corporation, "Final Verification and Vaitcation Report for Nebra na Puolic Power District, Plant Management Information System," Lynchburg, VA, SAIC-86/1097&264&O, Rev :sion 0 (May 30, 1936).
11. Science Applicati,m :nternational Corporation, "Validstion/ Field Installation Veri:, ation Test Report For Nebraska Public Power District, Plant Managemtnt information System," Lynchburg, VA, SAIC-86/1500&264&O (Maren 12,1986) . ,

I ac:21235:12/18/87 1 i

l

12. Science Applications International Corporation, "Man-in-the-Loop Testing for the Safety Parameter Display System at the Cooper Nuclear Station,"

Lynchburg, VA, SAIC-86/3006 (January 17,1986).

13. J. M. Pilant (NPPD) to Mr. Domenic B. Vassallo (NRC), "

Subject:

Submittal cf Additional SPDS Information, Cooper Nuclear Station," let-ter with attachments (February 28,1985).

14. Nebraska Public Power District, "Data Points for Generating Cooper Nuclear Station SPDS Displays," attachment 1 of J. M. Pilant letter to D. B. Vassallo (February 28,1985).
15. Science Applications International Corporation, "Detailed Descriptions of the Displays for the Cooper Nuclear Station Safety Parameter Display System (SPDS)," San Diego, CA, 503-8500000-78, Revision 2 (Februa y 1, 1985).
16. Science Applications International Corporation, "Nebraska Public Power District Plant, Management Information System, Cooper Nuclear Station, Failure Mode and Effects Analyses," Huntsville, AL, 502-8500108-52, Revision C (June 6, 1986). This report revised by NPPD on June 12, 1986.

.  !: : :: f;;:zti: r International Corporation, "Nebraska Publi, Dover District, Site Availability Test Reoort," Huntsville, AL (April 17, 1986).

12. Nebraska F.b'i: Power District, "MTBF Cals for the Power Supply System to the PIMS Equipment,' Calculation No. NEDC-84-076, Columbus, NE ,

(January 13,1985).

19. Science Applications International Corporation, "Verification and

<--;-i.*; ear >-sta- Disp 1*y Syste~s ," Nu: lear Safety Analysis Center, Palo Alto, CA, NSAC/39 (December 1981).

- 20. D. R. Muller (NRC) to G. Laines (NRC), "

Subject:

Safety Evaluation Related to the Detailed Control Room Design Review of Cooper Nuclear .

Statice," me?.: (0:tocer 14, 1985).

21. Computer Procucts Incorperated, "Isolation Test Procedure for Fiber 0;ti:s," F: t Lauderdale, FL (December 13,1984).
22. M. Srinivasan (NRC) to Faust Rosa (NRC), "

Subject:

Cooper Nuclear Station--Review of Isolation Devices tna: Interface with the SPDS," me :

(August 6, 1986).

23. Neoraska P;olic Power District, color photographs in attachment to J. M. Pilant letter to D. B. Vassallo (February 28,1985).

at :21235:12/18 /87 .

l l

i I

=

l  :

)

l 1

l i

ATTACHMENTS l

l l

l i

1 i

l l

l et :21235:12 /18 /87 34 1

i I

1 l

TER ATTACHMENT I Table 1. Field Input Points for Generating Cooper SPDS Displays. l

\

l l

Point Listed New Type' Variable Name in SAR** Point Point 10 l l

1 i

I 8000 A APRM A flux level )

8 2 8001 A  ;

X A C B002 X l 8003 A D '

I 8004 A E X

B005 A F x  !

0 APRM upscale alars alara(any()any)

A527  ;

A52S D APRM inoperative I j

APRM Ch A bypa: sed I A535 0 Ch 8 x A536 0 Ch C x A537 0 1

A53c L Ch 0 Ch E 1 A539 0 Ch F x AS40 0 X

A040 A $RM los count rat e Ch. A B X N041 A A C I h: :

A 0 1 N043 A5:e 0 SRW detector not startup position (any) 1 SRM vpscale alarm (any) x A520 0 A521 0 SRM inoperative alarm (any) I SRM bypassec (any) x A533 0 M520 0 All control ocs in I Reactor scre Ch A 1 0530 0 8 x 0531 0 B071 A RPV water level - narrew range (0 to 60') A 1 B I M01: A C I h011 A .

G032 A RPV water level  !

wide range (-150' to 60') A x B I G033 A N009 A RPV water level - fuel zene range (-100* to 200') A m x N010 A B*** I h013 A Reactor pressurt (0-1500 psi)A X A 8 1 N014  ;

M54 0 Group 1 isolation A signal x B X D555 0 N781 0 Group 2 isolation signal - inboara X N782 0

- outboard I .

M783 D Group 3 isolation signal inboard I

m -

Table 1. Field Input Points for Generating  :

Ce ner SPDS Displays (Continued).

l Point Listed New  ;

Point 10 Type' Yariable Name in SAR" Point '

N784 0 Group 3 isolation signal - outboard X M785 0 Group 4 isolation A signal X M786 0 3 X N787 0 . Group 5 isolation A signal X M788 0 8 I N789 0 Group 6 isolation A signal X M790 0 B X M791 D Group 7 isolation signal - inboard 1 M792 0 - outboard X M797 D Main steam iso valve A inboard X M801 D A outboard X M798 D Main steam iso valve B inboard I hi.m L & cuthcarc I M799 D Main stens iso valve C inboard X i NB03 D C outboard X l h5Z D Main staa: 1so valve D inboard X M804 D. D outboard X 055f D Main sta relief valve A pres:; sw X l

T142 A A temp I i 0557 0 8 press en X i .u ^ b tew I D558 0 C press sw I T144 A C temp X 0559 0 0 press sw I T145 A 0 temp X 0560 D 5 press sw X T146 A E temp I 0561 0 F press sw I M47 A F temp X 0562 0 G press sw I n4 A 6 tem X D563 D H press sw I T149 A H temp I MIS 6 A K5 safety valve A tec:p I T139 A A temp 1 M187 A B tamp I T140 A B temp X N18-8 A C temp X T141 A C temp X N002 A HPCI flow I N003 A RCIC flow I .

N000 A Core spray pump A flow I N001 A 8 X M578 0 Core spray A status -

X .

l Table 1. Field Input Points for Generating Cooper $PDS Displays (Continued).

i )i nt Listed New Point ID Type' Variable Name in $ AR" Point M580 D Core spray I status I I

N004 A RXR loop A flow I N005 A B I I M861 D RHR pump 1A status I l M862 D 1B status I  !

NS63 D IC status I NB64 D 10 status I NB06 D RRR suction isolation valve, inbd I NS07 D RHR suction Isolation valve, outbd 1 Mol7 A Containment (drywell) pressure

(-5 to +5 psig) A I NOIS A B I ib A Drystii pressure (0-60 psia) A I F085 A 8 I M161 A Drywell temperzture PT-10 I )

M161 A Pi-11 I  !

M163 A PT-12 I l N 76 A Dyvell zone 2B area tem; 8 7 N277 A D I Tl?? A Drywell hydroyan level I h... A Drywell/ torus 0-n oxygen  !

level I N06: A Orywell/ torus 0-1D% oxygen i 1

level I N065 A Drywell/torvs 0-25% orygen level I N627 0 Drywell oxygen sample No.1 I N628 D Drywell oxygen samle No. 2 I N629 D Drywell oxygen samle No. 3 x 1630 0 Torus orygen sample I h61. D Drywell/ torus oxygen range No. 1 (0-57) I NE32 0 Dryvell/ tor.is oxygen range No. 2 (0-10%) I N633 D Orywell/ torus oxygen range No. 3 (0-251) I N059 A Drywell flr sump pump 1F1/2 flow I N060 A pump 161/2 flow I l N063 A High range drpell airlock area j rad u nitor I I

I N023 A Suppression pel water temp 1A I NO24 A IB I N025 A 1C I t

I

Table 1. Field Input Peints for Generating Cooper SPOS Displays (Contineed).

Point Listed New Point ID Type' Yariable Name in SAA Point NO26 A Suppression pool water temp ID X N027 A 1E I N028 A 1F X N029 A 1G I NO30 A IN X

' NO31 A 2A X NO32 A 2B X NO33 A 2C I NO34 A 2D X NO35 A ZE X MO36 A ZF X NO37 b 2G X NO38 A 2H X N019 A Suppression pool level (0-30') A X N0?O A B X NO21 A Containrent water level (0-100') A X h:22 A B X N079 A ERP normal range rad monitor I 8

A03 J PV effluent nor=al range rac mon X N074 A Rx bldg effl'. ant rad monitor -

N065 A Turoine bids effluent normal '

range rad mon X NOS2 A SJAE raciation monitor A X NCS3 A B X NOS .A SJ AI A ai r flow X NOSE A B air flos X Notes:

  • A = analog, D = digital

SPDS Sr.f ety Analysis Report, document 503-8500000-76

'"tata points not yet available on PNIS, but SPDS has display features and software to present this data when it becomes availabit

th3-4500000-74 (Rev. "' 1/4/45 TER ATTACHMENT 2 Table 31. Data Points for Generating Cooper SPDS Displays.

Point point ID* Type" Variable Mara Use***

8000 A APRM A flut level Calculate 5P058011 8001 A B Calculate SPD38011 8002 A C Calculate SPD580Il  ;

8003 A D Calculate SPDSBOIl  !

B004 A E Calculate SPD58011 8005 A F Calculate SPDSBOIl ,

SPD50006 MMI Healthy maxisus APRM A.C.E Calculate SPD50008 l

$PDS0007 MMAI Healthy maximam APRM B.D,F Calculate SPD50008 l

$PD50002 HAYE Average APRM (avg of L1.0, L2.1 l

$PD50006,0007) Calculate SPDS0009 l

$POS0009 TRM Average APRM rate-of-change (ROC SPD50008) Lt.0, L2.1 SPD50080 EXTR All APRM below downscala trip L2.1 E51, Calcu.

late SPD50039 A527 t APRM upscale alars (any) L2.1 ESI A528 D APRM inoperative alars (any) L2.1 ($1 A535 0 APRM Ch A bypassed Calculate SPD50001 A536 0 Ch B Calculate SPD$0001 A537 0 Ch C Calculate SPD50001 A...

. Ct. O C.1:. 16te ST;; L .

A539 0 Ch E Calculate SPD50001 ASAO D Ch F Calculate SPD50001 SPD50001 HOR Any APRX bypassed L2.1 ESI (OR of A535 to AS40) -

Modo A SRM log count rate Ch A Calculate SPD50014 MS41 A B Calculate SPD50014 M042 A C Calculate SPDS0014 x;4; A D Calculate $P0500'4 SPD50014 KAVE Average SRM (healthy avg. L2.1, calculate N040,M041,M042,M043) SPD50013, $P050015 l 57:5C:13 t,0G Log of average SM (LOG L2.1 SPD50014)

SPD50087 TRM Average SRM rate-of-change (ROC SPD50014) Calculate SPD50015 SPD50015 EITR 3RM reactor period L2.1 A519 0 SRM detector not startup L2.1 ESI position (any)

A520 0 SRM upscale alars (any) L2.1 E5!

A521 D SRM inoperative alars (any) L2.1 ESI A533 0 SRM 'oypassed (any) L2.1 ESI -

1

,, , 603-4500000-78 (Rev. 2) *1/4/88 Table 3-1. Data Points for Generating Coopar SPDS Displays (continued). -

Point ~

Point 10' Ty p e ** Variable Name Usem N520 D All control rods in L1.0 A L2.1 ESI 0530 0 Reactor scram Ch A Calculate SPD50083 0531 D 5 Calculate SPD30083 SP050003 KAND Reactor scram A/S (D530 AMD 0531) Calculate SPD50039 SPOS0039 EXTR Reactor scram status L1.0 & L2.1 E5!

IGL,, MODE GC Plant mode Mode designation 8021 A Reactor water level -

narrow range (0 to 60') A '

L2.2, Catculate SPDSBOX2 Noll A B L2.2, Calculate SPDSBOX2 h '. 1. C L2.2. Calculate.

SPDSBOX2 SPD50016 TRAN RPY water level MR A rate-of-change (ROC 8021) L2.2 SP050017 TRAN MR B rate-of-change (ROC N011) L2.2 l 5905001 P T7AN NR C rate-of-change (ROC N012) L2.2 <

SPOS0019 RAVE Average narrow range RPY level L1.0, L2.2,  !

(healthy avg. 8021 N011 N012) Calculate 57050020 l Fr h v h Averagt narrom range RPY level l rate-of-change (ROC $PD50019) L1.0, L2.2 '

6032 A RPY water level wice range (-150' to 60') A L2.2, Calculate SPDSB012 6033 A 8 L2.2, Calculate SPDSB012 SPDS0021 TRAh RPV vater level WR A rate-of-change (ROC 6032) L2.2 5P050022 T7A5 WR S rate-of-change (ROC 6033) L2.2 SPD50023 MAYE Average wtde range RPV level L2.2 L3.15, Calc (healthy avg, 6032,6033) $PD50024 4 SPD50029 SPOS0024 TRAh Average wide range RPV level rate-of-change (ROC SPD50023) L2.2, L3.15 i

N009 A Reactor water level - fuel zone i range (-100' to 200') A L2.2  !

N010 A Reactor water level - fuel zone I range (-100' to 200') 8 L2.2

$POS0025 T;i.M RPY water level F2 A rate-of-change (ROC N009) L2.2 I l

1

. 603-4500000-74 (Rev. 2) 1/4/85  ;

Table 3-1. Data Points for senerating Cooper $POS Displays (continued).

l l

'/ oint Point ID* Typ e" Variable Name Us e *a SPD50026 TRAM FZ 8 rate-of-change (ROC N010) L2.2 SPD50027 KAYE Anrage FZ range RPY level L2.2, Calculate (healthy avg, 2009, N010) 57D50028 4 $PD50029 SPD50028 TRAM Ayerage FZ range RPY level rate-of-change (ROC SPD50027) L2.2 SPD50029 11TR RPY sinic water level (healthy Lt.2 avg, onscale 8032, G033, h009 4 N010 after conversion to cocinen reference zero) vra- 8 Reacter pressure (0-1500 pri) A Calculate SP05003: i )

$PDS8013 i M014 A B Calculate SPD50030 & !

$PDSBDI3 l SPOS0030 RAYE Average RPY pressure (healthy L1.0, L2.2, L2.3, l avs, N013, M014 ) L2.4 L3.1, L3.3, L3.11 & L3.15 Calculate SPD50031 5 r 000::', 't.7 /.r; Ptv pmssurs rate-cf e.v.S; (ROC SPD50030) L1.0, L2.3 & L3.15 0554 0 Group 1 isolation A signal Calculate SPD50032 0555 0 8 Calculate SP0$0032 SPD50032 HOR Group 1 (D554 OR DEES) L2.3 & L2.4 ESI, Calculate SPDSBOI3 N781 0 Croup 2 isolation signal

- inboaN Calculate SPD50033 M?tr 0 - outbea N Calculate 5F05003:

SPD50033 HOR Group 2 (M781 OR N782) L2.3 & L2.4 LSI M783 D Group 3 isolation signal

- inboaN C41culata SPOS0034 M784 0 - outboaN Calculate SPD50034 SP050034 HOR Group 3 (M783 OR M784) L2.3 & L2.4 ES!

M785 D Group 4 isolation A signal Calculate SPDS0035 M786 0 B Calculate SPD50035 SPOS0035 HOR Group 4 (M785 OR M786) L2.3 & L2.4 ESI M787 D Group 5 isolation A signal Calculate SPD50036 M788 0 8 Calculate SPD50036

$PD50036 HOR Group 5 (M787 OR M788) L2.3 & L2.4 ESI M7ES 0 Group 6 isolation A signal Calculate SPD50037 M790 D l Calculate 57050037 SPOS0037 HOR Group 6 (M789 OR M790) L2.3 & L2.4 [SI

l

. i

. 503-4500000-78 (Rev. 2) ,

1/4/85 Table 3-1. Data points for senerating Cooper SPOS Displays (continued).

Potnt Point 10' Typ e" Variable Name Usam M791 0 Group 7 isolaticn signal l

- inboard ' Calculate SPD50038 l M792 0 - outboard Calculate $P050038 l SP0$0038 HOR Group 7 (M791 OR M792) L2.3 & L2.4 ESI M797 0 Main steam iso valve A inboaN Calculate SP050002 M801 D A outboard Calculate SPD50002 59050002 MND K$ly A (N797 AND M801) Calculate SP050010 M798 D Main steam iso valve B inboard Calculate SPD50003 M802 0 B outboard Calculate $POS0003 SPOS0003 MAND MS!Y B (M798 AMD M802) Calculate SPD50010 kHi 0 bain steac. isc valve C inboaN Calculate SF050 L.

M803 0 C outboarti Calculate SPD50004 5P050004 KAND MS!Y C (N799 AND M803) Caleviate $P050010 M500 0 Main steam iso valve D inboaN Calculate SP050005 N804 0 0 outboard Calculate SP050005 SPOS0005 K1C MSly 0 (N800 AND MSO4) Calculate SPD50010 SPD50010 EIn M51Y status L2.2 & L2.3 ESI, Calculate SPDSBOX3

. 0555 D Main str. relief valve A press sw Calculate SPD50089 Tla2 A A tar.p Calculate SPOS00S9 SPOS0029 EXn A

  • position' L2.4, Calc SPOS0050 0557 0 8 press sw Calculate SP050093 T143 A B temp Calculate SP050093 59050093 EXTR 8
  • position
  • L2.4, Calc SPOS0050 0555 D C press Tu Calculate SP050094 T1tt A C temp Calculate 57050094 SPD50094 EI'A C
  • position' L2.4, Calc SPD50050 0559 D D press sw Calculate SP050095 Tla5 A 0 ter9 Calculate SPD50095 SPOS0095 EIR D
  • position
  • L2.4 Calc SPD50050 D560 0 E press sw Calculate SPD50096 TIA6 A E tee 9 Calculate 5P0$0096 SP050096 EITR E ' position' L2.4, Calc SPOS0050 0561 D F press sw Calculate SPD50097 T147 A F temp Calculate SPD50097 SPOS0097 UTR F
  • position' L2.4, Cale SP050050 0562 D G press sw Calculate SPD50098 T148 A C temp Caleviate SPD50098 SP050098 EXTR G ' position' L2.4, Calc $P050050 0563 D H press sw Calculate SPD50099-T149 A H tes9 Calculate SPD50099 SPD50099 UTR H "position
  • L2.4, Calc $P050050

, .'503-4500000-78 (Rev.1) 1/4/85 Table 3-1. Data Points for Generating Cooper SPD$ Displays (continued).

Point Point ID' Typ e ** Variable Name Use rs' M186 A MS safety valve A temp Calculate SPD50040 T139 A A teop Calevlate SPD50040

$P050040 EITR A

  • position
  • L2.4, Calc $PD50050 M187 A B temp Calculate SP050041 T140 A B temp Calculate SPD50041 SPD50041 EITR 5 ' position' L2.4, Calc $P050050 M188 A C temp Calculate $PD50042 T141 A C temp Calculate $PD30042 SPDS0042 EITr C ' position' L2.4, Calc $PD50050 SPD50050 EXTR Numter of SRYs open L2.2 4 L2,3 (RY A to M + $Y A to C) ESI, Calculate SPDSB013 M002 A HPCI flow Calcolate $PD50085 SPD5002E EITR HPCI status L2.4 4 L3.15 ISI N003 A RCIC flow Calculate SPDS0086 SP050086 EITA RCIC status L2.4 4 L3.15 ESI M000 A Core spray pues A flow L3.9 N001 A B L3.9

":'" Ce*e spray A statu: L3.9 i L2.1! E!:

M580 0 8 L3.9 4 L3,15 ISI M004 A RHR loop A flow L3.8 M005 A B L3.8 M861 0 RHR FJmp 1A status L3.8 4 3,15 ESI M862 0 IB status L3.8 4 3.15 ESI M863 0 IC status L3.8 4 3.15 ESI M864 D ID status L3.8 4 3.15 ES!

M806 D RHR suction isolation valve, inbd Calculate $POSBOI3 M? - t RHR suctice isolation valve, outbd Calculate SPDSB013 N017 A Containrent (drywell) pressurt

(-5 to +5 psig) A Calculate SPCS0043 SPOSBOI2, SPOSBOI3 N018 A B Calculate SPD50043 SPDS8012, $POSB013 SPD50043 HAVE Avg narrow rar.ge drywell pressure (healthy avg M017,N018) LI.0, calc $PD50044 SPD50044 TRM Avg MR drywell pressure rate-of-change (ROC $PD50043) L1.0

}

503-8500000-78 (Rev. t) '

1/4/85 i

l Table 3-1. Data Points for Generating Cooper SPD5 Displays (continued).

Point Point ID* Type" Variable Name use "*

F084 A Drywell pressure (0-40 psia) A Calculate SPD50045 F085 A 8 Calculate $PD50045 3P050045 MAYE Avg mid-range drpell pressu~e L2.3. L2.4, L3.4, (healthy avg F084. F085) L3.5, L3.6 L3.7, i L3.8 & L3.9, i Calculate $POS0046

$PD50046 TRAN Avg mid-range drywell pressure rate-of-change (ROC $PDS0045) L2.4 M161 A Drywell temperature PT-10 Calculate SPD50051 M162 A PT-11 Calculate SPD50051 And A PT-12, Cliculate SPD50051 M276 A Drywell zone 25 area temp B Caleviate SPD50051 h277 A D Calculate SP050051 <

l S 0$00E1 Kw.U Calculated drywell ted L2.4, L3.11, Calc (healthy anx, M161 M162, SPD50052 4 SPDSBOI4 M163, M276, M277)  ;

M .;bOM IPA % Avg drywell tMp rate-of-change L2.4 l (ROC SPD50051)

T122 A Drywell hydrogen level L3.6 K61 A Drywell/ torus 0-5t oxygen Calculate SPD50063, level SPDS0090, $PDS0091, 4 SPD50092 h062 A Drywell/torvs 0-10% oxygen Caleviate SPD50069, level SPD50090, 3P050091 4 $PD50092 N065 A Drpell/ torus 0-255 oxygen Calculate SPD50069, level 5P050050,SPOS0091 I

4 $PDS0092 M627 0 Drywell oxygen sample No.1 Calculate $PD50090 M628 0 Drywell oxygen sagle No. 2 Calculate SPD50091, i

& $PD50092  !

4 N629 D Drywell oxygen sample No. 3 Calculate SPD50092 i M630 0 Torus oxygen sample Calculate SPD50069 l N631 D Drywell/torvr. oxygen range Calculate SPD50069,  ;

No. 1 (0-55) $PD50090, SPD50091 4 3PD50092 i N632 D Drywell/ torus oxygen range calculate SPD50069, No. 2 (0-101) $PD50090, $PD50091, 4 $PD50092

.__,,_..,..,c.., _ , , , -

l l

. - 503-4500000-78 (Rev.1) 1/4/85 Table 3-1. Data Points for Generating Cooper SPDS D! splays (continued).

~

Point Point ID* Typ e" Variable Name Usam M633 0 Drywell/ torus oxygen range Calculate SPDS0069, No. 3 (0-255) SPD50090, SPD50091, 4 SPD50092 SPOS0090 EXTR Calculated drywell oxygen, Calculate SPD50053 point 1 5P050091 EXTR Calculated drywell oxygen, Calculate SPD50053 point 2 SPOS0092 EXTR Cali:ulated drywell oxygen, Calculate SPDS0053 point 3 5P050053 HMI Healthy saxisua drywell oxygen L3.6 SPDSCS9 EXTR Calculated torus oxygen L3.7 >

N059 A Drywell flr sump pep 1F1/2 flow Calculate SPDS00EA N060 A puen 1G1/2 flow Calculate SPD50055

$90500f! EITR Drywell sucp pung status L2.3 ESI N053 A High range drywell airlock area L?.3, Calc SPD50049, rac monitor SP050082 & $PDSB013 5P050082 LOG Log of drywell area rad (LOG L2.3 SP050049 TRAh HigIrange drywell airlock area rad monitor rate-of-ct..nge

. (ROC N063) L2.3 M;;3 A Suppression pool water teeg 1A Calculate SPOSOOSE N024 A 1B Cale.ulate SP050056 n;;! A 1C Calculate 570$0057 NO26 A 1D Calculate SPD500Sa N::- A 1E Calculite $POS005; N028 A 1F Calculate SPD50060 NC29 A 16 Calculate 57050061 N;3; A 1H Calculate SPOS0062

031 A B Calculate SPOS0055 MO32 A 2B Calculate SP050056 NO33 A 2C Calculate SP050057 M034 A Suppression pool water ten
p 2D Calculate SPOS0053 NO35 A ZI Calculate SPD50059 M036 A 2F Calculate SPD50060 M037 A 2G Calculate SPDS00%

N058 A 2H Calculate SPDS0062 SP050055 MAYE Supp. pool temp healthy avy 1A. 2A L2.4, calc SP050094 SPD50056 KAYE Avl 18, 23 L2.4, calc SP050095

1

.. 403-4500000-78 (Rev. 2) , 1/4/85 Table 31. Data Points for Generating Cooper SPD$ Displays (continued).

Point "

Point ID* Typ e " Yariable Name Us e '"

SPD50057 MAYE avg IC, 2C L2.4, calc $PD50096 SPD50058 HAVE avg ID, 2D L2.4, calc $PD50097 5P050059 MAYE avg II, 2E L2.4, calc $PD50098

$PD50060 KAYE avg IF, 2F L2.4, calc $PD50099

$PD50061 HAVE avg 10, 2G L2.4, calc SPD50100

$PD50062 RAVE avg 1H,2H L2.4, calc 3PD50101

$PD50063 PAYE Overall avg supp pool water temp L2.4, L3.1, (healthy avg SPD50055 to 0062) L3.5, L3.8, L3.9, Calculate $PD50064 4 $PDS8014 SPD50064 TRAN Avg supp pool teep rate-of-change (ROC SPD50063) L2.4 5P030054 EXTR Delta T heat capacity (lisit sinus SPDS0063) L3.2 M019 A Suppression pool level (0-30') A Calculate SPD50065 M020 A B Calculate SPDS0065 SPD50065 KAYE Avg supp pool wide range level L2.4, L3.2 L3.3, (healthy avg N019, NC20) S T1, c a l c.1 a SPD50066 4 SPOSBOX4 SPDS0066 TRAM Avg supp pool wide level rate-of-change (R00 SPDS0065) L2.4 M21 A Contaircent water level  ;

(0-100')A Calculate SPDS0067 M022 A B Ca*sculate SPD500f7 SPDS x67 FAVE Avg cent, wide range level (healthy avg M021, NO22) L3.4 M079 A ERP normal range rad monitor L2.5, Calc $PD50070, SPDS0071 4 SPDSBCP -

SPD50070 ( 03 Log of ERP normal range L2.5 l

(LOG N079)

SPD50071 TRAN ERP effluent rate-of-change 3 (ROC N079) L2.5 N073 A A0G ti RW effluent norral range L2.5, Calc $PD50072,  ;

rad son $P050073 4 $PDSBOX5  !

SPD50072 LOG Log of A0G & RW normal range L2.5 (LOG N073) t t

SPD50073 TRAN A06 8 RW eff rate-of-change I

(ROC N073) L2.5  !

d

503-4500000-74 (Rev.1) 1/4/st

  • Table 3-1. Data Points for Generating Ceoper SPOS Displays (continued).

Point Point ID' Typ e" Yariable Name Use***

N074 A Rx bldg effluent rad monitor L2.5, Calc SPD50074, SPD50075 4 SPDSBOIS SPD50074 LOG Log of Rx b1dg effluent L2.5 (LOG N074)

$PD50075 TRAM Rx b1dg effluent rate-of-change (ROC N074) L2.5 N069 A Turbine b1dg effluent normal L2.5. Calc $PD50076, range rad son SPD50077 A SPDSBOIS SP050076 LOG Log of turb b1dg effluent L7.5 (LOG N069)

SA0$0077 TRAM Turb bldg ef f rate-of-change (ROC N069) L2.5 NG82 A SJAI radiation monitor A C.lculate SPD50078 NOS? A B Calculate SPOS007F hw A SJAE A air flow Calculate SPDS007B NOSS A B air flow Calculate SPDS0078 SP05007B D 1'R Calculated SJAE sffluent L2.5. Calc SPD50075, SPD50081 4 SPDSBCIS SPOS0081 LOG LOG of SJAE effluent (LOG SPDS0078) -

L2.5 e*e w e *; t o S.'f E ef fluent rate-ef.chaat?

(ROC SPD50078) L2.5 SPOS0008 Em Supp. pool heat cap. tem lia. L2.4 E0 PSI SP05001B D3 Supp. pool heat cap. level lia. L2.4 E0 PSI SPOS0028 Em Supp. pool load lie. L2.4 E0 PSI SPOS004B EITR Containment pressure lie. L2.4 E0 PSI SP050068 Em Drywell spray init press lia. L2 4 E0 PSI SPOS007B Em Drywell hydrogen lia. L2.4 E0 PSI 5P050098 EITR Orywell oxygen lie. ---- L2.4 ECPS I

$P05010B EITR Torvs oxygen lia. L2.4 E0 PSI SP05011B EXTR MPSK lia. L2.2 E0 PSI 5705021B Em Constant 100 psig ' 3.15 E0PS F SP05022B EITR Constant 425 psig L3.15 E0 PSI SPOSC23B EXTx RPV press hi/ level inc. l.3.15 E0 PSI SP05024B EXTR RPV press int / level Inc. L3.15 E0 PSI SP0$025B EITR RPV press low / level inc. L3.15 E0 PSI SP05026B EXTR RPV press hi-int / level dec. L3.15 E0PS!

SP0$027B EXTR RPY press law / level dec. L3.15 E0 PSI SPD50288 EXTR RPY sat temp lia L1.0. L2.2 a L3.15 E0 PSI 1AD_ELP t," SAA *E' driver SAA *E'

503 8500000 78 (Rev. 2) 1/4/85 1

1 Table 31. Data Points for Generating Cooper $PDS Plisplays (continued).

Point Point ID* Type ** Variable Name Use***

SPDS8011 EXTR Reactivity control SFI driver SFI SPDSBDX2 EXTR Cort cooling SFI driver SFI SPDS8013 EXTR Coolant sys integrity SFI driver SF!

SPDSB014 DTR Containment, integrity SFI SFI driver SPDSBOIS EITR Radioactive release SFI driver SFI SPD501DS EITR APRM (SPD50008) DMSC ind L1.0 & L2.1 DNSCI SPDS02DS EITR RPV press (SPD50030) DMSC ind L1.0 4 L2.3 DNSCI SPD503DS UTR RPY level avg MR (SPD50019) L1.0 DMSCI DNSC ind SF.,50C S D TA Drywell press (57050043) DhSC L 1 . 0 D hSt.1 ind SPD50505 EXTR SRM (SPDS0014) DMSC ind L2,1 DNSCI SPDSOG5 Dik RPY level KR A (B021) DhSC ind L2.2 DNSCI SPD507DS DTR 8 (MD11)

L2.2 DMSCI SPD508DS EXTR C (MD12) L2.2 DMSCI SPD50905 EITR RPY level int A (6032) DMSC ind L2.2 DNSCI

$P;;510a uin b (6033) L2.2 DhSCI SPDS1105 EITR RPY level FZ A (N009) DMSC ind L2.2 DNSCI I 5P051205 EITR 8 (M010) L2.2 DNSCI SPDS13DS EITR Drywell press (SPD50045) L2.3 & L2.4 DNSCI MR DMSC ind SPDS14DS DTR Contaitunent rad (itD50082) L2.3 DNSCI DNSC ind SPDSISDS EITR Drywell tup (SPD50051) DMSC ind L2.4 DMSCI i

SPDS16DS EITR Supp. pool level WR (SPD50065) L2.4 DMSCI DKSC ind l SPDS17DS IITR Supp. pool temp avg (SPD50063) L2.4 DMSCI l DMSC ind SPDS1805 EITR ERP eff (SPD50070) DNSC ind L2.5 DNSCI SPDS19DS EITR A0G & RV eff. (SPD50072) L2.5 DMSCI DNSC ind .

SPDS20DS EITR Ex b1dg. eff. (SPD50074) L2.5 DNSCI DMSC ind  ;

SPDS21DS EXTR Turb. b1dg ef f (SPD50076) L2.5 DMSCI DMSC ind SPD522DS EXTR SJAE eff. (SPD50078) DKSC ind L2.5 DNSCI SPD501MV EITR Average APRM (SPD50008) NV L1.0 4 L2.1 My!

SPD502MY DTR Average SRM (SPD50014) RV L2.1 My1

503-4500000-74 (Rev. 2) i 1/4/44 Table 3-1. Data Points for Generating Cooper SPDS Displays (continued).

Point Point ID* Type" Variable Name Use **

SPDS03NY EITR Average narrow range RPY level L1.0 NY!

(SPDS0019) NY SPDSO4NY EXTR Average vide range RPY level L2.2 4 L3.15 NY1

($PD50023) NY SPD505NY EXTR Average FZ range APY level L2.2 NV!

(SPD50027) NY SPD506NY EXTR Muisua drywell tcap (SPD50051) L2.4 4 L3.11 NVI NY SPDS07NY EXTR Average VY pressure (550$0030) L1.0 L2.2. L2.3, NV L2.4. L3.1, L3.3, L3.11 4 L3.15 NYI SPD508NY EITR Avg NR drywell pressure L1.0 NYI (SPD50043) NV SPDSO9NY UTR Avg MR drywell pressure L2.3. L2.4, L3.a #

SPDS10NV EITR (58D50045) NY to L3.9 Kil Supp pool 1A. 2A temp L2.4 NYI (SPD50055) NY SPDS11NY EITR Supp pool 18, 25 teep L2.4 NY1 (SPDS0056) WV SPDS12NY EXTR Supp pool 10, 2C teco L2.4 NY1 (SPDS0057) My SPDS13MV EITR Supp pool 1D, 2D tece L2,4 NY!

(SFD50D5E) Ki SPDS14NY UTR Supp pool 1E, 2E tang L2.4 NYI (SPD50059) NY SPDS15NV DTR Supp pool 1F, 2F temp L2.4 NVI (SPDS0060) NY SPDS16NY EI'R Supp pool 16, 2G temp L2.4 NYI (SPDS0061) NY SPDS17NY EITR Supp pool 1H, 2H temp L2.4 NYI (SPD50062) NY SPDS18NY UTR Supp pool WR level L2.4, L3.2 3 (SPD50065) NY L3.3 Ny1 SP3519NY UTR Containment Wt level (3.4 NYI (SPD50067) NY SPD50100 PSEU Spart l SPD50101 PSEU Spare j

$PDS0102 PSEU Spare '

SPD50103 PSEU Spare SPDS0104 PSEU Spari SPD50105 TRAN Spare SPDS0106 TRAN Spare i SPD50107 TRAN Spa rt I

\

l 503-4500000 74 (Rev. 2) 1/4/85 Table 3-1. Data Points for Generating Cooper SP05 Displays (continued).

l Pcint Point 10' Type a Yariable Name -Us e **

l

$POS0108 TRM Spare

$PD50109 TRM 3 pare SP0$0110 BOOL 3part SPD50111 800L 5part .

SPDS0112 800L Spare

$POS0113 800L 5 pare l SPOS0114 800L Spart

$PD50115 UTR fpart

$PD50116 EXTR Spart SPD50117 EXTR 5 pare t SPD50118 EITR Spart

$PDS0119 EITR Spart SP050120 EITR 3part

$POS0121 EXTR 3part SPO! '::

. CC !Nri

$PDS0123 EXTR Spart SPOS0124 EXTR Spare Notes:

Frrur digit point ID nuscers indicate analog or digital points available on PMIS. Eight digit point ID numbers pref aced with the characters

'; 7 .~ . ' . r s c u s p c s e o p o i n t s.

" Point type: A = analog 0 = digital PSEU = pseudo enalog, spare WAI = pseuco analog, saximJe of healthy inputs RAVE s'pseuco analog, healthy average  !

LOG = pseudo analog, logarithm TRM = transf ors, rate-of-change 800L = loolean, spart  ;

HOR = Boclean, healthy OR MMD = leolean, healthy AC EITR = external (real)  !

G: = PMIS global coeren variable i If the variable appears in a df splay, the display is identified as follows: j 1

Level 1 display L1.0 = overview bar l

l l

]

T .

. ./ ' ' .' ,, ',1503-450,0000=74 (Rev. 2) 1/4/85 Table 3-1. Data Points for Generating Cooper SP05 Displays (continJed).

> Level 2 displays In this table. Level 2 displays are identified only by t.".etr first

, two digits. The third digit in the Level 2 display designation uniquely identifies multiple displays related to the same function as follows: L2.1 are reactivity control displays, L2.2 are core cooling displays, L2.3 are coolant systes integrity displays, L2.4 art containment integrity displays, and L2.5 are radioactive release displays. The full set of Level 2 displays are the following:

L2.1.1 L2.1.2 == coactivity reactivity control control (trend (bar) ) .

L2.2.1 = RPY water level (bar/RPY sisic)

L2.2.2 = core cooling (trend)

L2.3.1 = coolant systes integrity (bar)

L2.3.2 = coolant system integri y (trend)

L2.4.1 = containment integrity bar) -

L2.4.2 = containment integrity trend)

L2.4.3 = suppression chamber sisic L2.5.1 = radioactive release (bar)

L2.5.2 = radioactive release (trtnd, page 1/2)

L2.5.3 = radioactive release (trend, page 2/2)

- Level 3 displays L3.1 = heat capacity temperature limit L3.2 = heat capacity level licit L3.3 = suppression pool load limit L3.4 = containment pressure limits

!'r m:P s;ny ir.itiaticr. press.r t lia.it L3.6 = drywell hydrogen and oxygen status L3.7 = suppression chanber hydrogen and oxygen status L3.8 = RMi pump MPSH limits L3.9 = LPCS pump NPSH limits L2.11 = RPY saturation temperature limit L3.12 = maxiw. core uncovery time limit L3.15 = RPY pressure / level status matrix Status indicators SF1 = safety function indicator (on all SPOS displays)

ESI = equipeant status indicator E3FSI = emergency operating procedurt limit status indicator DKSCI = downscale indicator NY1 = not-valid indicator L__

q TER ATTACHMENT 3 .

Table 2. Summary of Variables Listed in the SPDS Safety Analysis' that Were not Implemented in the Final CMS SPDS Configuration.

Variable Reasons for Deletion IRM log power APRM and SRM data provides near-continuous indica-tion of reactor power level. The complexity of deriving valid IRM data is not warranted based on the availability of the APRM and SRM data on the SPDS. IRM data is not required IRM range See above IRM position ,

See above RPY water level, Data not available on PMIS. Possible future addi-refueling range tion as noted in SPDS Safety Analysis Suppression chamoer Data not available on PMIS. Drywell pressure cata (torus) pressurt usec instead Suppression chamoer Data not available on PMIS. Possible future addi-hydrogen concen- tion 15 noted in SPDS Safety Analysis tration Sc:: :: y c:etz9- Anale; data net available on PM 5. No secondary dif ferential press containment display implevented on CMS SPDS because of latt of suitable data on PMIS for assessing over-all secondary containannt status Secondary c:ntain- Analog data not available on PMIS. Possible future ment a re a t em; addition as noted in SPDS Safety Analysis 4

alars status Secondary contain. Analog data not available on PMis. Possible future ee .t HVA: ethaust accition as noted in SPDS Safety Analysis. All radiation level ef fluent release rates are displayed on the Lever Z- - ~

alare status radioactive release displays Secondary contain. No secondary containment display implemented on CMS ment area SPDS because of lack of suitable data on PMIS for radiation level assessing secondary containrent status.

Secondary contain. Analog data not available on PMIS. Possible future ment floor drain addition as noted in SPDS Safety Analysis I and torus area

! water level

-Safety P'arameter Display System Safety Analysis. 503-4500000-76, Revision 0, March 1,1984

^^

[ ,

' Attachment "A" 50'3-4500000 74 (Rev. 4) 4/14/46 TER ATTACHMENT 4 Table 2-1. De ta Quality Codes' PMis No. Code Description Default Color 00 UNK Unknown, point not yet processed Whita 01 DEL Point 6eleted from processing Magenta (first processing control logical = N) 02 NCAL Could not calculate a sof tware computer point (insufficient Magenta healthy inputs to calculation) 03 INYL Data acquisition system front-end Magenta hareware error (assigned by de ta acquisition system) 04 RDEk Sensor read error (assigned by da ta Ma gen ta acquisition sy stan)

O! OTC Open therzoccu;1e de tection (assigned Ma ge n ta by data acquisition systes)

v. cA. Input counts out of sensor range Magenta (assigned by data acquisition system) 07 HEL Point above high reasonable limit Ma gen ta (EU high) in PMIS da ta base OE LRL Point below low reasonable limit Ma gen ta (EU low) in PMIS da ta base 09 RE7J Redundant point clieck slars bastd Mage n ta on redundant peint definition anc tolerance in PMIS da ta base 10 HaLM Point abcve high alare limit in Red Ph!S data base 11 LALM Point below low alart limit in Red PMIS da ta base 12 HwRh Point above high warning limit in Yellow PMIS da ta base 13 LWRh Point belev low warning limit in Yellov PM15 da ta base

AttacLeemt "A" -

503-4500000 74 (Rev. 4) 4/14/46 Table 2-1. Da ta Quality Codes

  • No. PM15

' Code Description Default Color 14 ALM Logical change-of-stata alars on Red digital or logical points 15 508 Substitute value assigned to point 819e (assigned by PMIS based on operator input of substituta value via man-nachine interface) 16 OALM Point deleted from alars processing Green (second processing control logical o W, no quality or Ifrit .

checks are performed on the point) 17 IMHB Alare inhibited by an alare cut-out Green point specified in Ph!S data base (data is good, but the alars function has beer. inhibited by a prescribed plant or system condition that can be defined in teres of the sta tus cf a c)gital alara cutout point)

!! G000 Good green

'hete sent repre

~

tha t'not-heal the first thy9 quality

  • da ta.codes. (UNK to LRL) are considered to consictred Quality codes from REDU to GOOD are ca lcula tions. te re p r e se nt "he a l thy
  • da ta, and are used in ' healthy
  • G e

D e

1

Retrieved from "https://kanterella.com/w/index.php?title=ML20151T583&oldid=2964205"