ML20151A879

From kanterella
Revision as of 17:58, 25 October 2020 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Rev 1 to SPDS Safety Analysis
ML20151A879
Person / Time
Site: Grand Gulf Entergy icon.png
Issue date: 09/30/1986
From:
SYSTEM ENERGY RESOURCES, INC.
To:
Shared Package
ML20151A878 List:
References
NUDOCS 8804070279
Download: ML20151A879 (59)


Text

-. . _. - . - _- - _. . _ . ._

i l GRAND GULF NUCLEAR STATION-UNIT 1 SAFETY PARAMETER DISPLAY SYSTEM '

l SAFETY ANALYSIS l

i REVISION 1 SEPTEMBER 1986 l

.3 SYSTEM ENERG Y RES O UR CES, INC.

R! ? 188E 88888 6 P PDR

s Q

4 b

GRAND GULF NUCLEAR STATION SAFETY PARAMETER DISPLAY SYSTEM SAFETY ANALYSIS REPORT REVISION 1 September 1986 i.

I

s .

TABLE OF CONTENTS PAGE

1.0 INTRODUCTION


1 1.1 S ummary o f S a f e ty Ana lys is - ---- -- - --- --- -- --- - - --- -- -- - - --- --- --- 1 1.2 D is cus s ion o f S PD S B as e s - -- -- --- - - - ----- --- -- --- -- - - -- -- ---- - - --- 1 1.3 NRC Criteria ----------------------------------------------------- 2 1.4 Abbreviations ---------------------------------------------------- 2 2.0 SPDS DESIGN BASES ------------------------------------------------------ 5 2.1 Plant Safety Monitoring and Emergency Response ------------------- 5 SPDS Parameter Selection Methodology------------------------------ 7 2.2 2.3 Isolation Valve Status ------------------------------------------- 16 3.0 SPDS DESIGN CONSIDERATIONS --------------------------------------------- 18 3.1 Introduction------------------------------------------------------ 18 3.2 S P D S D e f in i t i o n - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18 3.3 SPDS Availability ------------------------------------------------ 18 3.4 S PDS Us e and Loc a t io n - - - - - - - - - - - - - - - - - -- - - - - - - - - - - - - - - - - - - - - - - - - - 2 2 3.5 Reactor Modes Considerations ------------------------------------- 22 3.6 SPDS Flexibility ------------------------------------------------- 24 37 System Hardware, Data Storage and Recall Capabilities ----------- 24 3.3 Signal Validation ------------------------------------------------ 27 3.9 Electrical Power Sources ----------------------------------------- 27 3.10 Circuit Isolation Devices ---------------------------------------- 27 3.11 Human Fact o r s Eng in e e r ing - - -- -- -- - - - -- -- ------ - - - - - - -- ------ - - --- 2 9 t

4.0 SPDS DISPLAYS ---------------------------------------------------------- 30 4.1 Display Philosophy ---------------- ------------------------------ 30 4.2 CF Assessment Display Feature ------------------------------------ 30 4.3 CF Overview Displays --------------------------------------------- 32 4.4 P r im a ry D i s p l ays - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3 2 i

4.5 Secondary Displays ----------------------------------------------- 33 4.6 Analog Trends ---------------------------------------------------- 33 l 4.7 Support Displays ------------------------------------------------- 34 l 4.8 Display Acc.ss --------------------------------------------------- 34 Variable Quality Indication -------------------------------------- 34 4.9 r

5.0 SIGNAL VALIDATION ------------------------------------------------------ 35 5.1 Int.cduction --------------------------------------- ------------- 35

, 5.2 The Validatica Process ------ --------------------------------- - 35 I

l r

l I .

E

0 TABLE OF CO WE WS (Continued)

PAGE 5.3 Signal Validation Features --------------------------------------- 36 5.4 Validation Results ----------------------------------------------- 36 6.0 VERIFICATION AND VALIDATICN -- ----------------------------------------- 37 6.1 Verification and Validation Ove rview -------------------- -- - --- 3 7 6.2 SPDS Verification and Validation -------------------------- ----- 37 6.3 System Requirements Verification --------------------------------- 37 6.4 Hardware / Software Design Verification ---------------------------- 38 6.5 SPDS Validation --- -- ------------------------------------------- 38 7.0 HUMAN FACTORS ENGIKEERING ---------------------------------- ----------- 40 7.1 Task Definition -------------------------------------------------- 40 7.2 Equipment Considerations ----------------------------------------- 40 7.3 Viewing Environment ---------------------------------------------- 40

~

7.4 Human Factors Criteria --------- --------------------------------- 40 7.5 Display Concepts -------------------------- ---------------------- 41 i

7.6 Display Development ---------------------------------------------- 42 7.7 Display Functional Description ------------------- - ------------- 42 7.8 Display Review --------------------------------------------------- 42 4

8.0 MAN-MACHINE VALIDATION (HMV) ------------------------- ----------------- 43 8.1 MMV Objectives --------------------------------------------------- 43 8.2 MMV Methods -- ------------------------------------------------ -- 43 8.3 MMV Program Documentation ----------- ---- -------- ----------- -- 44 9.0 OPERATOR TRAINING --------------- -------------- =---------- ----------- 43 10.0 CONCLUSICN --- --------------------------------- ----------------------- 46 10.1 Compliance with NURIG-0737 Supplement 1, Section 4.1.a - --------- 46 10.2 Compliance with NURIG-0737 Supplement 1, Section 4.1.b -------- -- 46 10.3 Compliance with NUREG 0737 Supplement 1, Section 4.1.c - - ------- 46 4

10.4 Compliance with NUREG 0737 Supplement 1, Section 4.1.d -- ----- -- 47 10.5 Compliance with NURIG-0737 Supplement 1, Section 4.1.e ----------- 47 10.6 Compliance with NURIG-0737 Supplement 1, Section 4.1.f --- ---- -- 47 APPENDIX A - PRINCIPAL CONTROL PARAMETER SET --- ----- - --------------- A-1 REFERESCES -- --- - --..--.-------.---------- - ----- - -- ----------- R-1

- 4

,. o 0 -

, s .-

4 TABLE OF C0YrE. V TS (Continued)

TABLES PAGE 2.1-1 Co r r e l a t ion o f C STs t o E PG s - - - - - - - - - - - - - - - - - - - - - - - - -- - - - - - - - - - - - - - - - 6 2.2-1 Generic EPG Control Functions ------------ ---------------------------- 9 2.2-2 GGNS PSTG Principal Control Functions --------------------------------- 11 2.2 3 GGNS S PD S P a r am e t e r s - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14 2.2-4 Correlation of CSF to GGNS SPDS Parameters ---------------------------- 15 3.3-1 SPDS System Availability ---------------------------------------------- 20 FIGURES i

PAGE 2.2-1 Example Page f rom GGNS Functional Analys is ---------------------------- 12 3.3-1 SPDS Block Diagram -------------------------------------------- ------- 19 3.4-1 Typical Control Room SPDS Location ------------------------------------ 23 4.1-1 Conceptual Display Heirarchy ------------------------------------------ 31 l

,. s GGNS SPDS SATETY ANALYSTS REPORT

1.0 INTRODUCTION

1.1 Summarv of Safety Analysis This report provides a written Safety Analysis for the Grand Gulf Nuclear Station (GGNS) Safety Parameter Display System (SPDS),

Information is provided to show that the SPDS is being designed to fully meet the provisions of Supplement 1 to NUREG-0737 (Ref. S), that it will be consistent with the plant-specific Emergency Procedures being concurrently developed, that accepted human factors principles are being applied, that independent verification of systems and sof tware will be performed, and that the SPDS will be an aid to the Control Room

, personnel in menitoring plant safety parameters and in mitigating emergency situations.

t

, The CGNS SPDS Functional Specification, Revision 1, provides more detailed information concerning display features and system use.

1.2 Discussion of SPDS Bases Emergency Procedure Guidelines (EPGs) (Ref. 6) have been developed by the EVR Owner's Group and accepted by the NRC as the basis for emergency respense in BWR's. These generic guidelines have been converted into plant specific guidelines for preparation of GGNS emergency procedures.

Using methodology developed by the BVR Owner's Group, the GGNS guidelines were evaluated to identify informat;:n requirements needed to monitor overall plant safety parameters and initiate operator actions to protect principal safety functions based on general plant sy=ptoms rather than specific events or transients. ,'

(1)

GGNS SPDS SATETY ANALYSIS REPORT GGNS SPDS displays were designed to incorporate appropriate informa-tion based on the Plant Specific Technical Guidelines (PSTG's) ave and h been structured to aid the operating crew in initiating and executing the emergency procedures.

1.3 NRC Criteria Since the original requirement to p:evide an SPDS, various NRC and industry guidance has been covsloped to functionally define what the SPDS should contain and how it should function. These guidance documents inclu'de h"CREG 0737, NUREG 0696, NUREG-083S, and INPO SVTAC on SPDS Implementation, along with various owner's group documents. Until the issuance of Generic Letter 82-33 entitled "Supplemenc 1 to NL' RIG-0737 -

Requirements for Emergency Response Capability", the specific NRC requirements for an SPDS had not been well established. Supplement 1 therefore became the NRC criterion that must be used to meet the emergency response capability requirements and all previous NRC documents were to be used as guidance.

Section 4.1 of NUREG 0737 Supplement 1 ddresses the specific require-ments to be used for developinE the SPDS. Each of these requirements has been met by MP&L in the design of the GGNS SPDS system. This Safety Analysis Report will demonstrate how each part of Supplement 1, Section 4.1, is met. Results are summarized in this report in Settien 10 Conclusions.

1.4 Abbreviations Throughout this document, the following abbreviations are used:

a. ADS - Automatic Depressurization System
b. APRM Average Power Range Monitor l

(2) i

GGNS SPDS SAFETY ANALYSIS REPORT

c. ATVS - Anticipated Transient Without Scran
d. BWR - Boiling Vater Reactor
o. BWROG - BWR Owner's Group
f. CF - Control Function 3 CR - Control Roos
h. CRT - Cathode Ray Tube (Display)
1. CSF - Critical Safety Functions ,
j. DCRDR - Detailed Control Roos Design Review
k. DOE - Department of Energy
1. DTTU - Digital Tape Transport Unit
m. ECCS - Emergency Core Cooling Systems
n. E0P - Emergency Operating Procedure (Generic)
o. EP - Emergency Procedure (GGNS-Specific)
p. EPG - Emergency Procedure Guidelines -
q. EPRI - Electric Power Research Institute
r. ERTIS - Emergency Response Facility Information System
s. FSAR - Final Safety Analysis Report
t. GDDP - Graphic Display Development Program
u. GGNS - Grand Gulf Nuclear Station
v. IKM - Integrated Memory Modules
w. INPO - Institute for Nuclear Power Operations
x. IVSP - Isolation Valve Status Panel
y. LOCA - Loss of Coolant Accident
z. MMV - Man Machine Validation aa. MP&L - Mississippi Power & Light Co.

bb. EBF - Mean Tin 3etween Failures cc. NITR - Mean Time to Repair dd. NPSH - Net Positive Suetion Head ee. NRC - U.S. Nuclear Regulatory Commission ff. NUTAC - Nuclear Utility Task Action Committee gg. PGP - Procedures Generation Package hh. PSTG - Plant Specific Technical Guidelines

11. RAM - Random Access Memory jj. RPV - Reactor Pressure Vessel kk. SAR - Safety Analysis Report (3)

, o, c GGNS SPDS SA}TfY ANALYSIS REPORT

11. SGTS - Standby Gas T; satsent Systes mm. SMD - Storage Module Drive nn. SPDS - Safety Parameter Display Systes oo. TAF - Top of Active Fuel pp. V&V - Verification and Validt: ion R

l i

E I

i l

I (4) i

0 GGNS SPDS SAFETI ANA2,YSIS REPORT 2.0 SPDS DESIGN BASIS 2.1 Plant Safety Monitorina and Emerzeney Response Industry experience in developing various SPDS designs has shown that SPDS displays are more meaningful and useful to operators during eser-gency response situations when they are directly integrated with Emergency Procedures (EPs).* Specifically, esorgency response decisions and actions made by the operating crew are aided by an SPDS that supports the entry to and execution of the EPs. The PSTU's which were prepared from generic Emergency Procedure Guidelines (EPGs) developed by the BVR Owner's Group (BVROG) have provided the technical basis for the Grand Gulf Nuclear Station (GGNS) SPDS to ensure SPDS/EP integration.

Development of the BVROG generic EPGs included analysis of severe accidents and transients by the reactor designer (Ref.1). These EPGs -

have been evaluated and accepted by the NRC as documented in the NRC Safety Evaluation Report on Revision 3 of the EPGs (Ref. 2) which supports the use of the EPGs as a satisfactory basis for emergency response procedures. The generic EPGs, and plant specific EPs develcped from them, are symptom based and therefore they are not bar.ed on a limited set of specific transients or accident scenarios. Thus, GONS safety can be better assured for a wide range of events and severe acciewets by adherence to the symptom basei EPGs and EPs and maintaining plant ceadi-tions as specified there in. Selestien of SPDS parameters to monitor plant safety status using information from EPGs and E0Ps provides a basis for SPDS parameters that not only integrates with NRC-approved guidelines for emergency respcase but also is analytically traceable to the post-TMI requirements for additional analysis of transients and accidents.

  • Note: The term Emergency Procedures (EPs) is synonymous with Emergency Operating Procedures (EOPs) used in generic work by the BVROG and in NRC documents.

(5)

.- GGNS SPDS SATETY ANALYSIS REPORT The generic EPGs have been translated into Plant Specific Technical Guidelines for use in developing EPs that reflect systems and emergency response information appropriate for GGN1 (Ref. 3). The format used by MP&L to prepare the PSTGs shows the correspondence between the GGNS PSTGs and the generic EPGs and provides justification and explanation for the r

differences.

The generic EPGs developed by the BVROG address all five of the critical safety functions (CSF) specified in NUREG-0737 Supplement 1 through the use of three primary control guidelines for BVRs. The correlation between ,

the five critical safety functions and the BVR emergency procedure guide-lines is shosn in Table 2.1-1. Since GGNS PSTGs are based on the NRC-TABLE 2.1-1 CCRRELATION OF CSTs TO EPGs 4

NUREG 0737 PROPOSED Supplement 1 CSF BVROG EPG GGNS EP Reactivity Control------------

I Reactor Core Cooling and l Heat Removal l--RPV Coatrol Guidelite EP-2 l

Reactor Coolant Syntes -- ----l ,

Integrity Radioactivity Control- -- -------Radioactivity Releata EP-4 Control Guideline Primary Containment EP-3 Containment Conditions------- ---Control Guideline appreved EPGs for emergency response which address ths caintenance of plant safety functions, and since the PSTG fun'ctional analysis as discussed in Section 2.2 provides the emergency response informatica needs, the PSTGs are being used as a basis for development of the SPDS parameter requirements for GGNS. This developmental approach used for the GGNS SPDS binds NURIG 0737 Supplement 1, Section 4.1.f (CSF status monitoring) with Sections 4.1.a (design basis of SPDS displays) and (6)

CONS SPDS SATE Y ANALYSf3 RIpCRT 5.1.b.ii (use of ECP (PSTG) function and task analysis). is a result,

, displays developed using this approach support osergency response informa-tion requireaants which in turn encoepass the SPCS design basis functions specified in Section 4.1.f.

One additional control guideline has been developed by the Bkl0C to cover secondary containment, and is implemented at CCNS as EP-5. The intent of the Nt1EG-0737 Supplement 1 CSF pertaining to containment conditions is completely addressed by EP-3 (Primary Containment Control), but the SPDS has been designed to include EP-3 parameters as well. The initial imple-mentation of the SPDS to meet Nt' REG-0737 cosuittments will not include EP-5 para =eters.

2.2 SPDS Parameter Selection 'fethodology Selection of parameters is based on the methodology and results of the Bh10G Graphic Display Development Program (GDDP) conducted by the Electric Power Research Institute (EPRI) and the Department of Energy (DCE)

(Ref. 4).

In the GDDP a functional analysis was performed on the generic BVR Emergency Procedure Guidelines, Revision 3, developed by the Bh300. De functional analysis of the generic EPGs identified the generic emergency response functions of a BVR operating crew. The analysis was extended beyond function identification to determine the logical relationships between the response functions and to identify the generic information requirements needed by an operating crew to perform each EPG functional step. This analytical methodology is commonly referred to as cognitive task analysis, i The emergency res9ense functions are addressed in the EPG functional analysis, but the specific emergency response tasks for the Control Room cperating crew, as opposed to an individual operator or supervisor, were r

not addressed in the EPG functional analysis since the sy=ptom based EPGs do not specify a division of labor between operators and supervisors and do not restrict actions or decision making to a specific Control Roem location. Generally speaking, the operator takes actions and participates in making decisions, whereas the suptrvisor sakes decisions and partici-pates in taking actions.

(7)

{

e, GGNS SPDS SAyETT ANALYST $ RIPORT As indicated in the GDDP report, the process used in the EPG functional analysis is similar to the decision saking model developed by Jens Rasmussen of the Risco National Laboratory in Denmark. In general, the process adapted from the decision saking sodel describes rule based behavior, where specific operator actions are based directly on the identification of a changed plant condition followed by the application of a predetermined decision process. In the functional analysis, a single decisica saking model with three basic function categories was used:

o Gathering and processing of information, o Making a decision, o Taking an action.

It should be noted that the EPG information requirements identified in the BVROG project are generic and are independent of any particular plant Control Roos. Similar to the process required for the Control Room Design Review Task Analysis, the information and control identification process is not based on, or limited to, only currently available instru-sentation in a specific Control Roos, thus the GDDP results were not "driven" by the currently available instruments. The information require-ments identified from analysis of EPGs or PSWs are useful in determining plant paraneters or variables for use in display aids.

Systematic analysis of the EPGs for all information requirements (both inplicit and explicit in the EPGs) associated with the three basic function categories listed earlier produced a large list of plant paranstors as provided in the GDDP report. nis information say be used to design various types of graphic displays to meet a wide range of potential objectives for operational aids.

n e is~ACG examined steps identified in the EPG functional analysis and determined which parameters are principally controlled by performing each step. nis resulted in the identification of nine principle control functions for the generic EPG's. These control futetions and the related f

l EPG steps are shown in Table 2.2 1.

i l

Actions specified in the EPGs directly correspord to one or more of these principal control functions which results in symptoe based EPs that are l

structured to specify operator actions for controlling a small set of l

parameters to assure continued safety of the plant. The SVROG EPGs inherently cover all of the NRC* identified critical safety functions for (S) i i

GGNS SPDS SAFT.TY ANALYSIS REPORT TABLE 2.2-1 GENERIC EPG COVTROL FUNCTIONS AND SUPPORTING EPG STEPS (EPG REV. 3)

1. RPV Water Level Control Function RPV Control Guideline Steps RC/L Contingency C 1, Level Restoration Contingency C-4, Spray Cooling Contingency C-5, Alternate Shutdova Cooling Contingency C 6, RPV Flooding Contingency C-7, Level / Power Control
2. RPV Pressure Control F:metion RPV Control Guideline Steps RC/P Contingency C-2, Emergency Depressurization Contingency C 3, Steam Cooling Contingency C-5, Alternate Shutdown Cooling Contingency C 6, RPV Flooding
3. Reactor Power Centrol Function .

RPV Control Guideline Steps RC-1 and RC-Q Contingency C 7, Level / Power Control

. 4 Suppressiren Pool Temperature Control Function Primary Contairaent Control Guideline Steps SP/T

5. Drywell Temperature Control Function Prinary Contairaent Control Guideline Steps DV/T
6. Contairment Temperature Control Function Primary Contairment Control Guideline Steps CN/T
7. Pri=ary Containment Pressure Control Function Primary Containment Control Guideline Steps PC/P
8. Suppression Pool Water Level Control Function Prinary Contairment Control Guideline Steps .*P/L
9. Radioactivity Release Control Function Radioactivity Release Control Guideline Steps RR (9)

c '

.i 4

$GNSSPDSSAFETYANALYSISRT. PORT monitoring plant safety, (i.e. , reactivity, core cooling and primary system heat removal, cooling system integrity, containment and radio-activity).

The function of the EPG-based displays, as recognized by the BWROG, is to assist the operating crew in the decision making process involved in EPGs/EPs. Thus the GDDP approach to parameter selection used decision classifications to distill three sets of parameters from the complete set of information requirements identified by functional analysis of EPGs.

The three decision types, and the three corresponding types of informa-tien required to support the decisions are:

o Information Type 1 - Information directly associated with determining the current value and trend of the specified control function parameters, together with their limits, setpoints and ranges.

o Information Type 2 - Information required to assess availability and status of systems and components identified in the EPGs. i o Infor.c ton Type 3 - All other information defined in the EPG func-tional analysis, not included in 1 or 2, and including information for decisions requiring i judgment.

/ a result three generic parameter sets were chosen which correspond to tne following types of information:

o Control Function Status (Information Type 1) o Control Function and System Status (Information Types 1 & 2) o Composite (Information Types 1, 2, and 3)

(10)

4 GGNS SPDS SAFETY ANALYSIS REPORT F

i The GGNS PSTGs (based on EPG Rev. 3, modified) were used to convert the generic GDDP functional analysis into a GGNS specific analysis which will reflect the GGNS plant-specific syste-s, features, and emergency response actions. The GGNS functional analysis was then supplemented with GGSS information and control requirements of the PSTUs. That is, the component type and plant parameter as well as the parameter characteristics (i.e. ,

range, scale, etc.) have been added to the documentation. This PSTG functional analysis was performed by an independent subject matter expert.

Figure 2.2-1 is an example page from the GGNS PSTU analysis. It should be noted that the results from the GGNS functional analysis can also pro-vide information and control requirements for use in the Detailed Control Room Design Review verification phase.

Similarly, the generic parameter sets from the GDDP have been made GGNS specific based on the analysis of the GGSS PSTGs. Although the BVROG functional analysis methodology can be used to identify a large number of plant parameters it is those parameters that relate to the principal BWR control functions that can provide concise overall information about plant safety status.

A set of emergency response control functions can be identified La the existing GGNS PSTGs by applying the BVROG generic program methodology and results. These principal control functions are shown on Table 2.2-2.

TABLI 2.2-2 CONS PSTG Princioal Control Functions RPV Vater Level RPV Pressure Reactor Pewer Suppression Pool Water Temperature Dryve11 Temperature Containment Temperature Containment Pressure j Suppress, ion Pool Water Level Radioactivity Release Rate (11)

  • 2  :

a 8 .

=

i S 33 3

2i 46 -

1.

] 8 2 g " gl o m :: 2 es 1.3

~

~

"b, y 71-X"X o, a- o-2 3 ,3

, b , y: J, I s FV a

a 3" .

F: FV Ps ::

s~ 7 3

" *J FE 1 az ananaz22 az la -

u 3 3 li s. - .l e t is 11 : t  :- . :u p :p

.i  :-

e_1  :

ll

a -i
3:

3 vi sa s  :: 2 g

- 16 =a4 : :: g .:

II;s t! E E25131 = 11 T <

s. .

.,. ~ ~ c C

o h.

U 4 C

.h. -

'I -t w i

1  !

j  : .

. . g l

l A i

5 3

.I n L .

1 g 4 3 i t

1) i -

L 4 2 i #

. I .

  • * . a

-  ;. a .,. .:

I a IX I ~

55E 8a?I i

i i

-a:

L i 3lgI

. - 5 .3. -

, ie i e

[ ia <

l

. 3 i

g

-] -

t. , 1 1 1 1 . j .,

l .i i .a .!

I j I E. I e,mi e

l l0 I d C

(12) t__

GGNS SPDS SAFETY ANALYSIS #IPORT Since BWR safety can be assured by proper asintenance of the principal control functions, a fundamental GGNS SPDS parameter set evolves from the PSTG analysis and the identified PSTG control functions. These parameters are those that are either used in PSTG entry conditions and/or are a principal control parameter. This set of principal control parameters is defined such that the plant will be asintained in a safe condition as long as these parameters are saintained within the ranges specified in the PSTGs. Thus, since the PSTGs provide sufficient emergency response for BVR analyzed transients and accidents occurring under all plant operating conditions, the GGSS SPDS parameter set derived from analysis of the PSTGs likewise provides adequate information for assessing plant safety status under all modes of operation.

The list of GGNS SPDS parameters is shown in Table 2.2-3. Additionally, Hydrogen concentration will be included in the SPDS since it is known that a section of the PSTG devoted to H control will be developed.

MP&L has chosen to include in the SPDS every parameter concerned with Information Type 1. GGNS is an advanced design BVR/6 with installed color graphic computer systems which provide excellent plant system status information, and the SPDS displays will be simpler and more concise by keeping the parameter set to the size indicated, thereby man.i.ng the SPDS easier to use in emergency situations. The parameter set in Table 2.2-3 will require input of approximately 100 individual data

! points. More detailed information is presented for each SPDS parameter in Appendix A.

The NRC Critical Safety Functions (CSF) can, therefore, be related to the PSTG control functions. The correlation between CSF, defined in NUREG-0737 Supplement 1, and the GGNS SPDS parameters is shown in Table 2.2 4 l

l l

(13) l l

i

GGNS SPDS SATETY ANALYS!$ REPORT 4

TABLE 2.2 3 GGNS SPDS Parameters

1. RPV Vater Level
2. RPV Pressure
3. Reactor Power
4. RPV Water Temperature S. SCRAM Status
6. Dryvell Pressure
7. Deywell Temperature
8. Containment Temperature
9. Containment Fressure
10. Suppressien Pool Temperature
11. Suppression Pool Water Level
12. Of fsite Radioactivity Release Rate (14)

GGNS SPDS SATETY ANALYSIS REPORT TABLE 2.2-4 CORRELATION BETVEEN CRITICAL SATETY FtJNCTIONS AND GGNS SPDS PARAMETERS Associated GGNS Critical Safety Tunction SPDS Parameters

1. Reactivity control Reactor Power RPV Vater Level RPV Pressure Scraa Status
2. Reactor Core Cooling and Reactor Power Heat Removal RPV Vater Level RPV Pressure
3. Reactor Coolant System RPV Vater Level Integrity RPV Pressure Drywell Pressure Drywell Temperature Suppression Pool Vater Temperature Suppression Pool Water Level Containment Pressure Containment Temperature RPV Vater Toeperature
4. Containment Integrity Drywell Pressure Drywell Temperature Cantainment Pressure Contaissent Temperature Suppression Pool Water Temperature Suppression Pool Vater Level
5. Radioactivity Control Off site Radioactivity Release Rate (13)

O GGNS SPDS SAFETT ANALYSIS REPORT If the BWROG EPGs and the PSTUs are modified in the future, an assessment will be made to determine what modification to the SPDS parameter set eight be necessary (if any). Subsequent update of SPDS displays can then be accommodated, as discussed in Section 3.6, Display Flexibility.

2.3 Isolation Valve Status As indicated in Table 2.2-4, one of the safety functions that will be incorporated in the SPDS is containment integrity. The GGNS SPDS will sonitor containment integrity by displaying the following parameters:

o Primary Containment Temperature o Primary Containment Pressure o Drywell Temperature o Drywell Pressure o Suppression Pool Temperature o' Suppression Pool Level .

Assuming no breach of primary containment exists", another method exists whereby the plant operator say confirs containment integrity. This method requires the plant operator to confirm the statua (open/ closed) of isolation valves based upon plant operating mode and the isolation actuation setpoints for the containment integrity parseeters listed above. Such confirmation is available to the operator from two sources:

o Position indicator lights at each isolation valve control switch o Position / demand status lights at the Control' Room- Isolation Valve Status Panel (IVSP)

The first source of isolation valve status requires the operator to know and search out each isolation valve control switch (distributed among three separate Control Roon panels) to confirm containment integrity. Such a search would be slow under accident conditions since isolati$n valve control switches and position indicator lights are so similar to switches and lights of other valves located in the immediate vicinity.

(16) t

GGNS SPDS SATETY ANALYSIS REPORT

~

However, the second source, the IVSP, provides the operator with isolation valve status in a much more comprehensive and cceprehendible format. This source provides the following information for each of the isolation valves on the IVSP:

o A graphical (piping schematic) representation of the valve location and system assignment through the use of system and location demarcation lines and color coding o Valve status (open/ closed)

The plant operator can determine the position of each isolation valve on the IVSP visually.

The IVSP is located directly above panel PS70 (refer to Figure 3.4-1). It is easily viewed by an operator at the SPDS console.

The IVSP system has been designed with power supplied from uninterruptible 120 VAC instrumentation panels.

The isolation valve status information need not be presented on SPDS displays, since this Laformation is provided in easily comprehendible form on the IVSP.

(17)

O O o GGNS SPDS SAFETY ANALYSIS rep 0RT 3.0 SPDS DESIGN CONSIDERATIONS 3.1 Introduction This section provides an overview of the computer system and addresses a number of topics that relate to SPDS design and are of regulatory interest. Each topic will be dealt with separately in the following subsections.

3.2 SPDS Definition The SPDS at GGNS is a subset of the E=ergency Response Facility Informa-tion System (ERFIS). The SPDS has one color CRT/ keyboard console located in the Control Room. As implemented at GGNS, the SPDS will be used solely as an operator aid in eenitoring plant safety status and in entry into and execution of the EP's being developed in parallel with the SPDS.

3.3 SPDS Availability Design goals for SPDS availability are as follows:

o Availability = 0.99 (reactor above cold shutdown) o Availability = 0.80 (reactor at cold shutdown or refuel)

The determination of availability depends upon forced and scheduled out-ages of the SPDS data systems, instrumentation, and f acilities and upon the configuration of the entire system.

Figure 3.3-1 is a block diagram of the GGNS SPDS system. A remote =ulti-plexer unit receives up to 25 individual instrument loop inputs (analog or digital). The remote multiplexer performs signal conditioning and A/D conversion and transmits the multiplexed signal (25 channels) to the digital multiplexer.. The digital multiplexer receives signals from up to 8 remote multiplexers. The digital multiplexer transmits a multiplexed signal (200 channels) to a digital buf fer. The digital buffer acts as a signal splitter and retransmits up to 3 inputs to as many as 4 master receivers. At this point, the SPDS system is redundant. Digital buffer outputs are received by each SPDS master receiver. Each master receiver c'n receive up to 16 multiplexed inputs for a total of up to 3200 separate instru:ent channels. Each master receiver scans all inputs and transmits (18)

~ .

a INSTR REMOTE DIGITAL DIGITAL MASTER ERFIS SPDS LOOPS MUX MUX BUFFER RCVR COMPUTER CONS 01.E i

t

~

IE-A2 FO

021 IE -A2 - IE i

, IE-A2 FO J IE-A2 IE O20 l

NON-lE J J g l A NON-lE O23 303 r NON-lE J NON-lE 011 l J NON-lE J l 1 NON- BE Cl2 ,

T-EMR J

IE-A2 FO h

~

IE-A2 l l

.  : Os0 IE-A4 I i j3 FOl IE-A4 gE 4

NO*4-lE J J g g l NON-lE 0 41 302 NON- BE J J NON-lE 042 040

~I J FO- FIGER OPTIC CAS.E l

NON-lE 043 1

Figure 3.1-1 SPDS Block Ulagram

e GGNS SPDS SAFETT ANALYSIS REPORT each char.uls' digital data to the SPDS computer for data processing and i storage. The output of each SPDS computer is switchable via the T-Bar 1

switch to the SPDS console /CRT.

Both SPDS master receivers and computers are normally maintained in an -

operating state, so that should the primary system fail, a simple transfer of the T-Bar switch will re-establish SPDS displays to the control Room.

The following sections present the GGNS availability analysis and results:

3.3.1 Forced Outane Analysis Hardware failure analysis is performed'by equipment manufac-turers. Reliability (as opposed to availability) data for each  ;

component or assembly is obtained in the form of mean-time-between-failures (MTBF) and mean-time-to-repair (MITR). The GGNS SPDS utilizes an existing data acquisition system for d:ta input.  ;

This system (transient test recording systen-GETARS) includes the i remote and digital multiplexers and the digital buffers (refer to Figure 3.3-1). Equipment manufacturer's analysis results (MTBF only) are shown in Table 3.3-1 along with results from the i .

remainder of the SPDS system. MTTR's on Table 3.3-1 are esti-sates of total forced outage time (includes problem diagnosis, i repair / replace times, and an allowance for administrative requirements).

Table 3.3-1 ,

1 SPDS System Availability NTBF (HRS) MM R (KRS) A l l ITEM COMPONENT / SUBSYSTEM Data Acquisition 43800 5 .99988 l '

l 1 4

l 2 SPDS Compu.ee 552 6.5 .98836 l T-Bar Switch 29055 4.3 .99985 l (

! l 3..

l 4 SPDS Console 2814 4.5 .99860 l  ;

r l Equations ~ -

MTBF, A, a MTBF, + MTTR, 1

1 2 A3pp3 = At x (2A - As) x As xA4 [

= 0.9980 (20) l

O GGNS SPDS SAFETY ANALYSIS REPORT 3.3.2 Scheduled Outare Analysis Scheduled preventive maintenance of the GGSS SPDS enec= passes equipment / cabinet cooling filter replacement and semi annual instrument channel input amplifier calibration. Out of-service time for this PM is as follows:

o SPDS Computer Hard Disk Memory Cooling Filter Replacement This requires out-of service time on the system requiring s e rvice. However, since the SPDS co=puters are redundant there is no associated unavailability for the SPDS.

o Instrument Channel Input Amplifier Calibration (located in remote multiplexers). This calibration requires only a single instrument channel to be removed from service. This does not affect SPDS system availability. This also applies to instru-ment loop calibration. -

3.3.3 Sof tware Analysis SPDS availability could be affected by software reliability and sof tware structure. Highly reliable software (software with few, if any errors) with sufficient error handling routines will be demonstrated during the validation process of the V&V effort.

Hence, software reliability should have little effect on SPDS availability. The SPDS software is also structured so that data acquisition always has priority over any other task. Display software is structured so that SPDS display output tasks have priority over any TSC or EOF tasks. Therefore highly reliable and prioritized software insures that SPDS availability will not be affected.

3.3.4 Availability Results Based upon the availability results shewn in Table 3.31 and assuming sof tware availability of 1 an'd preventive maintenance outage time of 0, the GGNS SPDS is expected to achieve an availability exceeding the design goals during all plant modes.

This includes refueling and cold shutdown modes since SPDS will be fully operational during these modes also.

(31)

Q

..- GGNS SPDS SAyETY ANALYSIS REPORT i

i

[ The CGNS SPDS is already a nature systen. The computer hardware has been installed for over a year, and the control room terminal  !

has been in place for over six months.

3.4 SPDS Use and Location The SPDS r.onsolo in the Control Room consists of a keyboard with a 19 inch CRT/ color graphics display. The keyboard was

~

provided with special key:aps to enhance usability by operators. The console is located approximately as shown in Tigure 3.4 1, so as to provide quick access and easy viewing from operator workstations.

The SPDS will be operated by Control Roos personnel in accordance with approved procedures. The GGNS Emergency Procedures (EP) vill have special

. notations to indicate when the SPDS displays may be the most helpful.

The EPs will be designed for use both with and without SPDS, and operators will be trained for both situations.

F 3.5 Reactor Modes Considerations Energency procedure guidelines developed by the IWR Owners Group provide the basis for effective and safe response to general symptoms of the plant without regard to the operational mode of the plant. Thus, the GGNS SPDS will be useful in various plant modes for monitoring plant safety and initiating appropriate emergency response consistent with the GGNS EPs and PSTG's which are based on the BWROG EPG's.

A detailed review of the GGNS EPs will be conducted to determine if additional alaras or data points are needed in the SPDS for non power modes of operation. Any additional alarus or data potats identified by this evaluation that are applicable to cold shutdown or refueling modes will be considered for addition to the SPDS after the LLitial SPDS implementation has been completed.

(22) f

s' P

.b I =' I - 1I "a

n.

p-- (. .t.

..n -.

L ut~ ~ = ~

l ,,,, , ,_ , ,_ l g ,,,.

igu -

lll H ,u. .

,"" D ,e ,

l ,,, l ..{ .. f"l l

"=

.c =

u .. 3, -

~

$  % g l l ,wa l lnw l nri ll 8

g ,- ,.

g - 1 g ., - -

l l nt: ll

,,,, g %,

nia

}_

[ y mv j mil l ni. l l s.,. ,e +-

  • - ,# =n

_ ._;. # ll l = l ,= l .. ll "

p.r ..a = ,. ,...

, ,, m. =. .

q I- H - I I I 11

'a' "

\l r. l A l r.i l na I,m -

Q

-...s.

SPDS CONSOLE Figure 3.l.-1 Tveical Centrol Room SPDS Location (23)

~ - - _ - _ _ - _ _ _ _ _ ._ . - -

c.

.. . .)

g l GGNS SPDS SATETY ANALYDIS REPORT j i

. t i

-3.6 SPDS 11exibility no GGNS SPDS is being desis,ned so that future expansion and modifications  ;

can be accommodated. The following are general areas where SPOS j flexibility will be considered:  !

I

a. Teodback' free operating personnel after initial SPDS implementation. t
b. IVROG EPG Revision 4 (currently in preparation) and future EPG revisions may result in changes to the GGNS PSTGs and EPs.
c. De results of the systes function review and task analysis being l conducted as part of the GGNS Detailed Control Room Design Review, including any Human Engineering Deficiencies which SPDS modifications might resolve. l
d. Addition of alarms or data that may be needed for SPDS sonitoring id non-power modes of the plant.
e. Incorporation of improved algorithms and techniques for validating {

and determining quality level of certain SPDS parameters. l

f. Man-machine validation of the SPDS may identify the need for SPDS i

modifications to improve usability by the operating crew.  ;

f Flexibility will be assured in the SPDS design by providing expandability [

in both data acquisition and computer hardware and by providing modular sof tware and display features with interf ace provisions that will f acili- (

tate future changes to SPDS. The hardware chosen can accept additional terminals and consideration will be given to adding one or more. >

3.7 Systes Hardware. Data Recall. and Storate Capabilities -

The SPDS includes dual SEL 32/27 computers with interface to the C36 Data t Acquisition Network, tape drives, 80 MByte moving head disk drives, and one color CRT/ keyboard console located in the Control Room. Data recall j and storage capabilities for the SPDS is accomplished via three types of [

hardware media and various software programs and handlers designed to i interface to those media. The capabilities and expandability of each l L

(24) t

. .. f

GGNS SPDS SATETY ANALYSIS REPORT type of media may be viewed from a hardware standpoint. The utilization of those capabilities and expandability may be viewed from a software st andpoint.

3.7.1 Hardware Each of the two SPDS computers contain four 256K3 (256 thousand byte) integrated memory modules (IMM's). Each IKM is composed of MOS (metal-oxide semi conductor) comory, on board refresh logic, and data format and error correction logic. Maximum throughput for this type of me=ory is 26.67 million bytes per second. The IMM random access memory (RAM) is the location of all programs and data during actual execution by the CPU. The SPDS RAM can be easily expanded from its 1024K3 to its maxt=um configuration of 4096KB by simply replacing each of the four existing 256K3 IMM's with 1024K3 IMM's and instructing the operating system of the change. This represents an expandability of 400* for SPDS RAM.

When programs and data are not required to be resident in the IMM RAM they are stored on hard disk mass storage modules. Each SPDS ce=puter has access to two Control Data Corporation (CDC) 80 M3 (megabyte) storage module drives (SMD's). Each SKD is composed of a single multi platter magnetic storage media, associated read / write logic, and control / drive components. Maximum through-put for the unit is .98 million bytes /sec. Each processor is capable of supporting four 80 MB SdD's and is also capable of supporting other SMD's of larger capacity such as the CDC 300 M3 SMD. SPDS mass storage capability can (space limitations excepted) be expanded by 750* by replacement / addition of the larger capacity SMD's.

System backup and longterm data archiving on the SPDS is attained via bulk storage tape. Each computer has the ability to ecemuni-cate with a single Digital Tape Transport Unit (DTTU). The supply and takeup reels of the DTTU will accommodate up to 2400 foot rolls of tape. Maxicum data throughput for the processor /

(25)

u t

. GGNS SPDS SAFETY ANALYSIS REPORT c .

DTTU is 120K3 per second. Each processor is capable of support-ing up to four DTTV's, giving the SPDS bulk storage expandability of 400% (physical space limitations excepted). It must be noted that a proc 6ssor can control only one DTTU at any given time.

3.7.2 Software SPDS RAM requirements are based on sound system design princi-ples. Mesory utilization of 50-85% is a goal for the SPDS RAM.

This ensures that sufficient memory will always be a.ailable for the programs that run SPDS. Should future expansions be required the expandability of the system may be utilized.

Utili:ation of the SPDS mass storage hard disc space is achieved by separating the program and associated data files from the archived data files via two SMD's. The program files SMD normally utilizes less than 50% of the total available storage spaca. The archival file SMD normally utilizes from 35100% of the tutal stovage space svailable when a database of SCO points

!.s specified. A dual circular file structure for the archival SMD is used so that while the archival program is utilizing one file, the computer operator can be saving the other file to bulk tape storage. Each archival file is capable of storing approxi-mately seven hours of archive cata for a total of fourteen hours of archived data before the circular file structure causes over-write. Thus combined pre and post event archive data can total up to fourteer hours before operator intervention (manual loading of th. .3TTU) is required.

Longterm data storage required for post event analysis utilizes the maximum size 2400 foot : eels of magnetic tape on the DTTU.

For a database size of 800 points, approximately seven hours of data can be stored on a single reel.' Recall of the archived data f rom bulk storage is acceeplished by mounting the des **ed hi.torical data file on the DTTU and activating s single program (26)

T I

, GGNS SPDS SATETY ANALYSIS REPORT from the computer operators console. Once the data is restored to the SMD, it can be viewed at either of the two engineering consoles located in the TSC and ECT.

3.8 Signal Validation The GGNS SPDS includes provisions for automatic determination and continuous indication of SPDS data quality. SPDS signals undergo 4

pass /f ail processing, range limit checking, and signal validation algoriths processing. Quality level indication are presented to ~

operating personnel along with the quantitative value of the data. The design is intended to relieve operators of routine data quality detersi-nations and to make all data available for operator evaluation of data quality as they does appropriate, i

Detailed information about SPDS signal validation is presented in Section 5.0, 3.9 Electrical ?ever Sources

  • In order to ensare that the SPDS achieves high availability, the GGNS SPDS is powered free t'as Class 1E uninterruptible 120 VAC power system. This includes not only the Class IE s:,nal conditioning / transmission portions of the systes, but also the non 1E receiver units, SPDS cesputers and data storage equipment, and SPDS plant operator's console /CRT.

3.10 gr,cuit u Isolatten Devices NUREG 0737 Supplement 1, Section 4.1.c states that the SPDS shall be suitably isolated from electrical and electronic interference with equip-ment and sensors that are used for safety systaas. NUREG 0696 sore

clearly states that interfaces between SPDS and safety systems sFS11 be isolated in accordance with the safety systes(s) criteria in order to preserve channel independence and to ensure safety systes integrity should the SPDS salfunction. The GGNS SPOS accomplishes these require-rents by physical separation and by isolation, i

y-. -.-

e GGNS SPDS SAFETY ANALYSIS REPORT Figure 3.3-1 is a block diagram of the GGNS SPDS system. Parsmeter data acquisition is accomplished via the instrumentation loop, remote multiplexer, digital multiplexer, digital buffer and master receiver subsystem. The digital buffers perform signal splitting to provide the same paraaeter data to the redundant master receivers and SPDS computers.

Some of the instrumentation loop inputs to the system are associated with Class 1E systems. The 1E-Ax designator shown on the figure indicates this type of input (e.g., 1E-A2 is "associated Class 1E, Division 2)".

Channel independence is maintained by physical separation where any remote multiplexer receives inputs from only one associated Class 1E division and remote multiplexers of one division are physically separated from remote multiplexer of another division. Separation is accoc711shed in accordance with Regulatory Guide 1.75, Revision 1 as stated in the GGNS FS AR, Appendix 3A. Environmental qualification to the requirements of 10CTR50.49 are not applicable since the remote multiplexers are located in a mild environ =ent (all asscelated Class 1E remote multiplexers are located in the Power Generation Control Complex).

In order to mairtain the integrity of safety systems should the SPDS malfunctxon, fiber optic cables are used for data transmission from the associated Class 1E ramote multiplexers to the non-1E digital multi-plexers. Fiber optic cables have the following properties which qualify l

them as ideal isolators:

o They are totally dielectric, therefore electrical fault current /

voltage cannot propagate from one end to the other. A discussion of maximum credible faults is therefore not applicable to the fiber optic cables.

o They are not susceptible to electrical interference. Possible electr.'aA1 interference created by digital multiplexers or other SPDS components / equipment cannot propagate through or be induced in the optical fiber.

(28)

_. ~

, GGNS SPDS SAFETY ANALYSIS REPORT The optical fiber cables were considered for application of maximum credible faults. Hewever, as discussed previously, fault current / voltage cannot propagate through the optical fibers and therefore, a discussion of maximum credible faults is not considered applictble.

3.11 Human Factors Engineerina Human f actors engineering is an toportant consideration for SPDS design.

Accepted human factors engineering considerations are incorporated in the GGNS SPDS, and the design process was planned ane' conducted accordingly. All appropriate elements of human fact? engineering are reflected in a human factors program doctv.at for the GGNS SPDS.

Additional details about this subject are presented in Section 7.0.

l l

l l

l l

i l

l l (29) l

  • f

4.0 SPDS DISPLAYS 4.1 Display Philosophy Previous industry experience has shown that SPDS displays which are directly linked to the Emergency Procedures (EPs) provide more meaningful and useful data to the operating crew during emergency conditions. As a

~ result of this industry experience (BWROG and Vestinghouse Owners Group validation of SPDS displays, BVP.0G/EPRI/ DOE Graphic Display Development Program, INP0/NUTAC generic display guidance), the GGNS SPDS employs a procedure-based display concept.

The GGNS SPDS displays were developed to directly assist the operators in decision-making processes for assessing control function (CF) status and EP entry and execution. The technical basis for the information displayed by the SPDS is provided by the GGNS PSTGs and the GGNS

  • functional analysis described in Section 2.0 of this document.

The Control Room CRT will continuously monitor the summary safety status.

When icwer level SPDS information is displayed, the summary safety status will still be displayed.

The SPDS displays were implemented with a logic hierarchy or structure that facilitates syste=atic passage between displays and supports operators assessment of CFs and EP entry. This hierarchy is illustrated conceptuclly on Figure 4.1-1.

4.2 CF Assessment Disolay Feature Each SPDS display provides information on the status of the CF's, thus ensuring that the operator is able to conitor control function status regardless of which SPDS display he is usinc. This is accomplished by a row of green or red boxes across the top of the displays, giving entry condition status for each of EP's 2,3, and 4.

(30)

i .

q R y OA ST h NA c ED r S a r

i l

e 1 l

- 1 y a

W Y 4 l p

E I A e s L r V P RS u i

D E I g VD i F

l a

O . 4 u

t p

e c

n o

C C

) ) )

TSY AL T R O A O P L T 0 P SP T8 1

UI s SD SE (

E

(

~.

GGNS SPDS SAFETY ANALYSIS REPCRT 4.3 CT Overview Display An overview display is provided that presents the principal control function parameters. During normal, transient, and emergency conditions, access will be provided to the pre-defined overview dispity. His display will indicate the current values of the principal control function parameters, which are listed in Table 2.2-2 of Section 2.2.

H is information vill be shown as digital values. Color coding consistent with that used in the CF assessment feature indications is used in the overview display.

The overview display supports the CF Assessment indicators and enables the operating crew to determine / evaluate which entry condition (s) has caused a change in CF status, a.4 Primarv Displays During normal, transient, and emergency conditions, access is provided to a set of pre-defined, primary displays. These displays are designed to integrate with the EP's in order to support operators in the execution of the EP's.

The following process was used to develop these displays:

o Identify "decision functions" in each EP.

o Identify SPDS parameters used in that "decision function".

o Determine what processing the operator is required to perform using the SPDS parameter information, o Develop a display to present this information processing.

Displays resulting from this process should aid the operating crew in their decision-making and further assure appropriate e=ergency response.

(32)

, GGNS SPDS SAFETY ANALYSIS REPORT 1

l l

The primary displays utilize mimics, alarm indicators, digital parameter values, and operator information messages when limits are exceeded. Limits have been specified in accordance with those specified in the GGNS PSTGs and EP's. Determination of which fes tures were used was based on logical EP/ control function relationships, computer /CRT limitations and human factors criteria for information presentation. Human factors criteria to ensure that the displayed information can be readily perceived and comprehended so as not to mislead the operator were incorporated during the display develop-ment process. A summary of the Human Factors program is addressed in Section 7.0.

4.5 Secondary Displays Access is also provided to a set of pre-defined secondary displeys.-

These displays provide the current values for each SPDS variable

- input sensor. These displays are assigned on a one-for-one basis to each primary display. This will enable cperators to have access to all of the input values used in determining the procassed values shown on the primary displays.

4.6 Analog Trends Analog trends are provided for the principal control function parr.m-eters listed in Table 2.2-2 of Section 2.2, as determined necessary during dispisy development. These trends will support the CF assessmant indi-cators, and overview and primary displays by providing operators with historical information to aid in assessing plant status. The analog t.rsnds will also enable operators to monitor recovery of principal control function para:eters and aid in decision-making once the operating crew has entered an EP. A digital readout including engineering units are displayed to inform the operator of the current control function para =eter value. The arount of historical data displayed on each analog trend has been determined through consultations with operations department personnel.

(33)

, GGNS SPDS SAFET/ ANALYSIS REPORT 4.7 Support Displays Additional displays have been incorporated in the SPDS to aid the operator in monitoring various plant limits reflected in the EPs. These displays consist of X Y and exclusion plots as appropriate for the EP's such

  • as:

o Heat Capacity Temperature Limit - Suppression Pool Temperature vs.

RPV Pressure o Heat Capacity Level Limit - Suppression Pool Vater Level vs. Delta T Heat Capacity o Suppression Pool Lead Limit - Suppression ?ool Level vs. RPV Pressure 4.8 Display Access Each display is accessible directly or threugh a menu. Once a display is selected, other displays are accessible in a timely manner.

The overview and primary displays are accessible by a single key stroke, with other displays accessible by no more than three additional keystrokes.

4.9 fariable Quelity. Indication All SPDS variables will be displayed with a visual indication of the associated quality level as determined by SPDS data processing and validation (e.g. , invalid or unvalidated variables, or values out-of-scan will be tagged). This validation process is further described in Section 5.0 of this document. Providing quality tag information will further assure operators of the validity of the SPDS data that is presented. The actual method of presenting quality tags can be found in the SPDS Functicnal Specification.

t t

(34)

= ,

GGNS SPDS SAFETY ANALYSIS REPORT

. 5.0 SIGNAL VALIDATION 5.1 Introduction The use of misleading data by the SPDS should be avoided since it can adversely affect the quality of many variables processed and presented in the SPDS. Sources of misleading data include instrumentation and sensors that drift, fail, or are removed from scan. Signal validation techniques have been incorporated into the software processing to determine and indicate data quality.

5.2 The Validation Process Sensor signals used by the SPDS undergo pass / fail processing, range limit checking and signal validation, as appropriate, before beida used in the algorithms which determine the status of the critical safety functions. The quality of a plant parameter will be indicated by its quality tag. All SPDS parameters including calculated values will carry a two state quality tag validated and invalid. The validation process is described below:

a. Pass / Fail Processing determines whether or not a sensor signal is in scan, the w21tiplexor communication interface is operating within design limits, and the analog / digital converter drif t is within design limits. A sensor signal f aillag pass /f ail processing is assigned an invalid quality tag,
b. Range Limit Ch1cking detersines that a sensor signal is within its instrument range, with predetermined margins f rom scale maximum and minimum. A sensor signal not within the range limit is assigned a special "of f scale" quality tag.
c. Signal Validation Processing will be performed on signals that are physically redundant to establish a higher level of data quality where appropriate. The primary processing technique used at GGNS for signal validation is Parity Space Vector analysis, with weighted arithmetic averaging. ,

(35)

GGNS SPDS SAFETY ANALYSIS REPORT Signal validation processing uses pre-determined algorithms and software designed for the number of redundant signals and the particular process appropriate for each SPDS parameter.

A parameter that f ails signal validation processing is assigned an invalid quality tag and one passing is assigned a validated quality tag. Any individual sensor signal rejected as inconsistent by signal validation processing is assigned an invalid quality tag.

5.3 Signal Validation Features

a. Preferential Use of Validated Data Validated signals and parameters are used preferentially over lower quality dr.ta for indication of control function status.
b. Quality Tag Application Application of quality tags will not affect the quantitative value of the data and access to data will not be affected regardless of validity judgments rendered by the validation process.
c. Calculated Variable and Quality The quality tag associated with any signal or parameter will be carried through and reflected in the quality tag for any subsequent calculations that use that signal or parameter. If a particular calculation uses inputs with different levels of quality, the lowest level of quality used will be reflected in the quality tag for the calculated result.

5.4 Validation Results The described use of signal validation will provide input to the SPDS that:

a. is purged of inconsistant signals when remaining signals are consistent,
b. is chosen using pre-established decisions if sufficient consistency is lacking, and
c. is tagged to inform the operator of its quality status.

Thus, the process is designed to provide extra reliability and to reduce decision making overhead in emergency situations.

(36)

i GGNS SPDS SAFETY ANALYSIS REPORT 6.0 VERIFICATION AND VALIDATION 6.1 Verification and Validation Overview This section provides an overview of the SPDS Verification and Validation (V&V) program. The objective of the Verification and Validation Program is to provide a quality SPDS through independent technical review and evaluation conducted in parallel with SPDS development. When V&V is integrated with the SPDS development process it provides a means for:

o independent technical evaluation of the system o assuring formally documented implementation o Laproved integration of system hardware and software o regulatory review and approval 6.2 SPDS Verification and Validation Key overall elements of SPDS V&V will be to assure:

o Comprehensive technical review of system functional requirements to assure that the SPDS will perform appropriate functions.

o Comprehensive technical evaluation of the implementation process to establish that succeeding tasks are a consistent, complete and correct translation of previous tasks in the development process.

o Adequcce documentation of the system, as well as for system implementation, o Adequate configuration management to docu=ent and control system and i=plementation changes.

6.3 System Requirements Verification System Requirements Verification is a review of the system requirements d9cumentation against standards and regulations. The object of this evaluation is to determine that the functions described in the system requirements meet the intent of NUREG-0737 Supplement 1. The require-ments are reviewed for correctness, completeness, consistency, under-standability, feasibility, testability, and traceability.

6.3.1 System Recuirements Verification Overview System Requirements Verification will be separated Lato two phases. Initial activities will include preparing an Originating Requirements List (t ed on NRC regulations and guidelines) and a (37)

e.

GGNS SPDS SATETY ANALYSIS RIPORT Systes Requirements List (based on MP&L's requirements). These will be performed tu preparation for the formal System Requirements Verification. Formal evaluation of the system requirements will follow this preparation.

6.3.2 Traceability Matrix is part of V&V documentation, a traceability matrix will be utilized. The function of the matrix for V&V is to show the correistion of the SPDS functional and administrative require-ments to the NRC requirements and to the functional-capabilities of the system, which in turn link to the Validation Test Plan and Validation Test Procedures and the test results. The matrix will demonstrate that all system functions have been tested.

Functionally, the matrix will facilitate the logical organization of a significant amount of data. H is method is designed to provide a simpler and clearer tracking of the identified requirements.

6.4 Hardware / Software Design Verification The objective of Hardsare/ Software Design Verification is to establish the relationship between the system function and its design structure.

This establishes a basis for validation testing and evaluation.

6.5 SPDS Validation System Validation is an end-to-end evaluation of the system functions to demonstrate that the system meets the system requirements. Demonstration of acceptable operation with the implemented functions is accomplished through a planned testing and evaluation process. The validation process will include functional and performance testing and dynamic performance engineering evaluation. Requirements verification and design analysis will be used as insight to the validation process by identifying the (38)

. . l 1

1 l

GGNS SPDS SAFETY ANALYSIS REPORT

\

system's functional capabilities and limitations. The steps of the SPDS System Validation are:

o prepare Validation Test Plan o prepara Validation Test Procedures o perform Validation Testing and Analysis o prepare final Validation Test Report Validation tests are used to confirm correct operation of specific functional and performance requirements of the system. They will cover data acquisition, CPU and general purpose programs, SPDS applications programs, and display system requirements. Where possible, clearly defined acceptance criteria such as accuracy, response time, transfer function, alar.n conditions, etc. will be used. Functions may be tested with both static and dynamic data inputs. Tests will include coverage of bcch the valid and invalid input domain. Particular attention will be given to validity algorithm or other data checking methods.

Engineering evaluation will be performed to show that the control room operator has available, rapidly and reliably, appropriate variables. The engineering evaluation will include appropriateness of parameters, timeliness of the display, accuracy, resolution, appropriately scaled trends, etc. The evaluation will also consider human engineering aspects such as concise display formats, the accessibility of data and continuous display of representative safety status information.

(39)

GGNS SPDS SAFEW ANALYSIS REPORT 7.0 HLHAN FACTORS ENGINEERING A fundamental design objective is for the SPDS to serve as an aid to the operating crew in monitoring the overall safety status of the plant and in initiating response to plant emergencies. Although as an operating aid the SPDS will not serve as essential safety instrumentation, it is ir.portant that human factors considerations be integral to the design process to assure SPDS effectiveness in emergency situations. Accordingly, a human f actors program was developed and appliec as part of the SPDS implementation program. The

. following considerations were included as part of GGNS SPDS human factors program.

7.1 Task Definition Task definition is necessary to acquaint the designer with the reasoning behind the display requirements and to provide understanding of how and -

when the displays will be used. The designer determines how each function is performed, the information needed to accomplish it, and how the display can assist operator performance.

7.2 Equipment Consideratiens This is to assure that any limitations which may be imposed by the equipment are known to the display designer. For example, the designer needs to determine the a=ount of information that will fit en one CRT screen, colors available, controls, brightness, resolution, etc.

7.3 Viewing Environment This will establish the location and environment in which the equipment is to be used and determine the positions (e.g. , standing, sitting, viewing distance) from which the user will want to read the information on the displays.

7.4 Human Factors Criteria This activity will identify human f actors principles and criteria that will be applied in the SPDS design. Appropriate principles and criteria were derived from such documents as Section 6.7.2 of NURIG-0700 (Cathode Ray Tube Displays), EPRI Report NP-3701, September 1984, "Computer Generated Display System Guidelines, Volume 1 Display Design" (40)

O .

GGNS SPDS SAFETY ANALYSIS REPORT (Ref. 7), BWROG Graphic Display Development Project (Ref. 4), GGNS DCRDR Computer Display Conventions, and NUREG-0800 Chapter 18.2, Safety Parameter Display Syntams.

In general, the following human factors aspects of display design were emphasized:

a. Logical, functional arrangements and groupings of information
b. Intelligibility .
c. Consistency in the manner of presenting information
d. Acceptable content density
e. Content integration
f. Readability
g. Ef fective, unambigious, consistent, and readily identifiable color usage
h. Application of highlighting techniques
1. Understandability of presented information '
j. Efficient utilization of display area .
k. Use of hierarchical labeling to promote readability and unambiguous interpretation of presented information 7.S Display Concepts Display concepts were developed regarding the content of individual displays as well as the overall structure of display hierarchy. The number of displays, display access, and their relationship to the GGNS PSTUs and EPs were addressed along with user capabilities so that the resulting displays mesh with user nonds.

9 (41) m

GGNS SPDS SAFETY ANALYSIS REPORT 7.6 Display Development This is the actual design of the displays and included activities such as the following:

a. Determine how the needed information is to be shovn,

~

b. Determine the appearance of each display element.
c. ' Determine the colors to be used.
d. Determine the dynamics of each variable element or feature. ,
e. Determine access to each display,
f. Determine how the user can recover from errors.
g. Determine what user prompts are to be used and where.

7.7 Disple.y Functional Descriotion Thr- iisplays and how they are to function were described in order to provide clear guidance to programming personnel for design of the final display products. All display characteristics were documented to provide a basis for configuration' management and potential future modifications as well as for preparation of SPDS training materials.

7.8 Displav Review The purpose of this step is to insure that the detailed design meets all the original requirements. An important step in this process is a review of the displays by typical users (i.e. , plant operators). This also included review by an independent human f actors consultant who evaluated displays against NUREG-0800 and the SPDS human factors engineering criteria.

(42)

O.

CGNS SPDS SAFETY ANALYSIS REPORT i '

8.0 MAN-MACHINE VALIDATION (HMV) 8.1 MMV Objectives Confirmation that the SPDS meets functional performance requirements will be achieved through static and dynamic evaluations of the GGNS SPDS. The evalua ions will address the integration of the SPDS with the PSTGs/EPs and the SPDS user in order to demonstrate that the SPDS aids in monitoring plant safety status and initiating response to plant emergencies. The objectives will be to validate the following:

o the SPDS exhibits good human engineering practices o the displays are understandable and usable o the displays are compatible with symptom-based EP entry conditions o the displays are responsive to changes in plant data and emergency conditions as directed by the EP's.

8.2 MMV Methods Methods to be employed for validation of system performance include simulator evaluations. Plant operators vill be requested to

~ observe preselected transients on the SPDS and indicate their responses to these transients. This will enable evaluators to determine if the operators can identify changes in CT status using the SPDS and are directed to the correct symptem-based EPs to mitigate these transients.

Operating personnel will be asked to explain what they observe on the SPDS and the actions they would normally take to mitigate the transients included in each scenario. The crew will move about the control room or simulator as if they were interacting with GGNS instrumentation and controls, obtaining and follbwing EPs, and using the SPDS to monitor CFs.

The tests will provide dynamic, real-time simulations for each scenario.

Scenarios will be selected that are sufficiently complex to involve l

{

(43)

o e

GGNS SPDS SAFETY ANALYSIS REPORT multiple system f ailures and the need for multiple operator decisions and actions for successful mitigation of the simulated emergency. The range of scenarios will challenge all CFs and exercise EP entry conditions.

Transients used- in simulator evaluations will be similar to those used for EP validation as described in the GGNS Emergency Procedures Generation Package (Ref. 8). These scenarios include multiple failures (concurrent and sequential) and, in combination, will dynamically exercise the EPs and the SPDS displays to the extent possible within the capabili-ties of the simulator.

Evaluation team members for simulator evaluations will be independent of the design group. EP trained operators who are f amiliar with SPDS use will participate in the phases of the Man-Machine Validation Program. Assessment of validation results, and the recommen-dation and implementation of corrective actions to resolve discrepancies will involve members from the evaluation team as wall as in81viduals who are knowledgeable in Control Room operations and SPDS design.

8.3 MMV Program Docu=entation Man-Machine Validation Program documentation will include:

a. A program plan
b. Evaluation procedures
c. Ccepleted checklists and other collected data
d. Assessments of the results of the evaluations
s. Recom=endations for corrections of deficiencies

. (44) j

GGNS SPDS SAFETY ANALYSIS REPORT 9.0 OPERATOR TRAINING SPDS training for Control Room operators will be incorporated in the GGNS training program. Control room operators will be fernally trained on the simulator prior to implementation of the SPDS at the plant. SPDS training will include the use of the SPDS, SPDS display information content, the means of accessing displays, and the anticipated use of displays during both normal and off-normal plant conditions. The training program will be developed in accordance with the IN?O accreditation criteria. The program will utilize performance based objectives, clear and concise evaluation techniques and an overall feedback mechanism used to determine training effectiveness. Consistent with the design basis of the SPDS as an aid to safety status assessment and EP entry and execution, the training for the EPs will include situations where SPDS '.s -

available, and where SPDS is not available. Care will be taken to emphasize that the SPDS cannot be the only means used by the operator to monitor tne plant safety status.

l l

l l

l (t.5 )

r

, . . I GGNS SPDS SAFETY ANALYSIS REPORT 10.0 Conclusions The GGNS SPDS is being implemented in compliance with the SPDS requirements of NUREG-0737 Supplement 1 as summarized below. A review of GGNS Technical Specifications indicates that implementation of the SPDS as described in this Safety Analysis Report (SAR) will not require modification or addition to the Technical Specifications.

10.1 Compliance with NUREG-0737 Supplement 1, Section 4.1.a As discussed in Section 4.0 of the Safety Analysis, display of the status of emergency procedure (EP) entry condition status summary, as well as values and alarms for the principal control parameters from the PSTG control functions constitutes a concise display of critical plant var.* ables to aid operators in determining plant safety status.

As discussed in Section 2.0 of the Safety Analysis, design of the GGNS SPDS as an aid to operators in determining the safety status of the plant and assessing whether abnormal conditions warrant corrective action to avoid a degraded core, by using the NRC approved BVROG EPGs and the GGNS PSTGs as part of the design basis for SPDS, is consistent with Section 4.1.a of Supplement 1.

10.2 Compliance with NUREG-0737 Supplement 1, Section 4.1.b As discussed in Section J.4 of the Safety Analysis, GGNS is being l

provided with an SPDS console in an appropriate location in the Control Room which can be used by operators to readily and reliably assess plant safety statua.

10.3 Compliance with NUREG 0737 Supplement 1 Section 4.1.c As discussed in Section 4.0 of the Safety Analysis, the GGNS SPDS will be used to aid and aug=ent the installed Contrpl Room instrumentation and j

controls. As discussed in Section 3.10 the computers and equipment of SPDS are suitably isolated from safety system equipment and sensors. EPs, being developed at GGNS in parallel to SPDS, permit timely and correct (46)

4

{

l GGNS SPDS SAFETY ANALYSIS REPORT assessment of plant safety status whether the SPDS is available or not, and licensed operators will be trained to enter and execute the EPs both with and without SPDS, as discussed in Sections 3.2, 3.4, 4.0 and 9.0.

10.4 Compliance with NUREG-0737 Supolement 1, Section 4.1.d Selection of specific Laformation to be included in the SPDS is based on NRC accepted BWROG EPGs and the GGNS PSTGs using sound enginoering evalua-tion and judgment as discussed in Sections 2.0 and 4.0 of the Safety Analysis. As discussed in Section 3.6 of the Safety Analysis the SPDS is being designed to permit future modifications based on results from th>;e related activities.

10.S Compliance with NUREG-0737 Supplement 1, Section 4.1.e As discussed in Section 7.0 of the Safety Analysis the GGNS SPDS displays are designed to incorporate accepted human factors principles for revs / perception and comprehension by SPDS users.

10.6 Comoliance with NURIG-0737 Supplement 1, Section 4.1. f The five critical safety functions (CSFs) specified in Sectica 4.1.f are inha:ently addressed by the BWROG EPGs, which have been accepted by the NRC, and Section 2.0 of the Safe:y Analysis has shown the correlation between these CSFs and the ger.aric EPGs in Table 2.1-1. The NRC has accepted 'the BWR0G EPGs as an adequate basis for development of plant specific technical guidelines and emergency operating procedures. As discussed La Section 2.0, the GGNS EPs and PSTGs have been developed l

l directly from the EPGs, and these two documents have been used as part of the SPDS design basis. With the safety parameter information from the principal control functions embodied in the PSTGs and the EP entry anc l execution support information being incorporated in the GGNS SPDS, as I discussed in Sections 2.0 anc 4.0, it is concluded that the SPDS will provide sufficient infornation to operators about the safety status, including all stated CSFs, to aid the operating crew in execution of appropriate response.

I l

l l (47)

n APPENDlX A GGNS SPDS SAFETY ANALYSIS REPORT PRINCIPAL CONTROL PARAMETER SET This Appendix contains detailed information concerning the SPDS parameters used at GGNS.

NOTE: R.0 Appendix A has been deleted. This Appendix A was formerly Appendix B in Revision 0.

t (A-1) l J14HISC88033103 - 1 1

_ _ _ . _ . _ _ _ _ _ - - - _ _ _ - . _ _ _ _ . _ _ _ . J

APPENDIX A GGNS SPDS SAFETi ANALYSIS REPORT 1.0 RFV Vater Level Parameter Basis RPV nater level is one of the three major parameters used in the RPV Control Guideline to ensure that the core is adequately cooled. RFV level below Level 2 is an entry condition to RPV control.

In a BVR, if it can be determined that RPV water level is above the top of the active fuel, than adequate core cooling can be assured under all conditions.

Since this parameter is singularly definitive of adequate core cooling its significance cannot be ovc; emphasized and a large number of cperator actions are directed to:

a. Determine RPV water level
b. Restore RPV water level
c. Flood the RPV if RPV water level cannot be determined Upon decreasing water level, the operator is directed to take a number of steps to "restore and maintain" in one of several bands, with the severity of these actions increasing as water level decreases from the normal band through top of active fuel (TAF).

2.0 RPV Pressure Parameter Basis RPV pressure is the second major parameter used in the RPV control guideline to assure that the core is adequately cooled. RPV pressure above the scram s etpoint is an entry condition to RPV control.

The direct concern is for the structural integrity of the reactor pressure vessel (i.e., failure of SRV's), however, RPV pressure is also used indirectly to determine reactor power, RPV water level and containment loading / integrity.

Since the sources of RPV water makeup all have certain pressure ranges in which they are effective, knowledge of RPV pressure is necessary for the operator to determine if any of his available makeup systems are capable of injecting into the RPV and/or to key him to take actions to reduce RPV pressure to the peine l that available systems can inject into the RPV.

l

{

(A-2) l i

l t ,

, APPENDIX A GGNS SPDS SAFETY ANALYSIS REPORT 3.0 Reactor Power Parameter Basis Reactor power is the third major parameter used in the RPV control guideline.

Reactor power level above the low APRM trip setpoint (following a condition requiring reactor scram) is an entry condition to RPV control. Power levels above this indicate potential ATdS scenarios which not caly challenge the core (through rapidly decreasing RPV water level) but also the containment.

Containcant heat removal capacity is based on attaining a reactor shutdown within a short period of time af ter NSSSS initiation.

If power level remains high, the energy absorption capabilities of the suppression pool will be exceeded and design containment temperatures and pressures may be exceeded.

Operator actio% to protect the core and containment increase in severity with power levels above the shutdewn range. Since the APRM's are normally in service and will rapidly go downscale if reactor shutdown (control red insertion) is effected, the APRM devnscale trip point provides a rapidly determinable "go - no go" point.

Long term power level determinations can utilize other neutron monitors, and/or thermodynamics pt sparties (such as RPV pressure, suppression pool te=peratures and containnent parameters) to define additional operator action levels.

4.0 RPV Vater Tamperature Parameter Basis The need to monitor RPV water temperature is necessitated by MPSL's use of plant recovery procedures.

S.O Scram Status Parameter Bases SCRAM status is required to assure the reactor is shutdown without the need for Boron Injection (e.g., ATiS scenarios). A condition which required reactor scram coincident with the reactor at , over is indicative of a f ailure to scram and thus relates directly to reactor power control and is thus an entry condition to RPV control.

(A-3) 4

p-* .

  • APPENDtx g 6

GGNS SPDS SAFEW ANALYSIS REPORT 6.0 Drywell Pressure Parameter Bases High Drywell pressure is an entry condition to containment control. Increasing drywell pressure is a symptom of a primary system leak in the drywell and is used on a number of automatic functions including reactor scram, isolation and ECCS initiation for this reason.

The entry condition is high enough to avoid "spurious" entry into Emergency Procedures but low enough to permit the operator to use his "normal" systems to reduce the pressure below the entry condition if there is no significant LOCA.

Since the drywell is vented to the containment (via the Suppression Pool and/or bypass leakage) entry into this procedure requires the operator to "monitor and control" containment pressure and to do so in conjunction with (*rywell -

pressure.

Dryvell pressure increases are also associated (ther=edynamically) with drywell te=perature, suppression pool temperature / level and containment temperature so the operator is directed to concurrently =enitor and control these parameters whenever he exceeds the high drywell pressure entry level.

7.0 Drywell Temperature Parameter Bases Drywell te=peratures above the II,0 point are indicative of either a loss of drywell cooling or LOCA. In addition to being concerned with a LOCA (i.e. , RPV control) the operator

  • sill be concerned with equipment inside the drywell that may be te=perature sensitive.

8.0 Containment Temperature Parameter Bases Containment temperatures abovs the LCO point are indicative of a loss of contain=ent cooling, excessive bypass leakage during LOCA events, excessive suppression pool temperatures or incomplete steam condensation (during SRV actuation or LCCA). ,.

In addition to being concerned with a LOCA (i.e., RPV control) the operator will be concerned with equipment inside the containment that may be tempe rature sensitive.

(A-4)

.e 8

APPENDfX A i

GGNS SPDS SAFETT ANALYSIS RIPORT 9.0 Containment Pressure Parameter Bases The primary containment pressure control (PC/P) section of the Primary Cor.tainment Control Guideline specifies actions for controlling and maintaining primary containment pressure. Excessive primary containment pressure may result in overpressurization of the containment leading to containment failure.

10 0 Suppression Pool Temperature Parameter Bases The suppression pool temperature control (SP/T) section of the Primary Containment Control Guideline specifies actions for controlling and maintaining suppression pool temperature. Excessive suppression pool temperature may result in exceeding NPCH limits for pumps takirg suction from the suppression pool, exceeding design temperature limits for the suppression chamber, or unstable steam condensation from SRV discharges leading to containment f ailure.

11.0 Suppression Pool (Containment) Vater Level Parameter Basis The suppression pool water level control (SP/L) section of the Primary Containment Control Guideline specifies actions for controlling and maintaining suppression pool water level. Insufficient supprestion pool water level may result in insufficient NPSH for pumps taking suction on the pool or unstable steam condensation from SRV discharges leading to containment failure.

Excessive suppression pool water level may result in hydro dynamic loads from SRV discharges in excess of the loads to which the primary containment and equipment within the primary containment were designed, also lesoing to contain=ent failure.

12.0 Offsite Radioactivity Release Rate

' Parameter Bases The Radioactivity Release Control Guideline establishes the basis for isolating l

systems and controlling RPV pressure to minimize the of f site release of radioactivity in an emergency.

l Discharges from primary systems to areas outside of the primary and secondary containment are isolated (if possible) to terminate or minimize any release.

1 (A-5) i l

l l

L

\ o' a>*- .

f REFERENCES

1. Additional information required for NRC Staff Generic Report on Boiling Water Reactors, NEDO-24708, General Electric Company, August 1979
2. Safety Evaluation Report of BVR Emergency Procedure Guidelines, Revision 3, U.S. Nuclear Regulatory Commission, November 23, 1983
3. GGNS PSTGs, draft dated June 4, 1985
4. Graphic Display Development Program, U.S. Department of Energy and Electric Power Research Institute, RP 2347 Interim Report OEI8304-1, Operations Engineering, Inc., December 1984
5. Requirements for Emergency Response Capability, NUREG-0737, Supplement 1 (Generic Letter 82-83), U.S. Nuclear Regulatory Commission, December 17, 1982
6. Emergency Procedure Guidelines, Revision 3, Boilint Vater Reactor Owner's Group
7. Computer-Generated Display System Guidelines, Volume I: Display Design, EPRI NP-3701, Septe=ber 1984
8. GGNS Emergency Procedures Generation Package, MP&L Letter AECM 85/0110 dated April 11, 1985 l

l l ,

i l

l l

1

{ (R 1)

o CONCURRENCE REVIEh' FORM RESPONSE DUE: /

3

, AECM- ff o r9Rev. C (N"C "^ Wj0 Target)

SUB3ECT: m,hrd /s} $$$ $$$ $dwyy r r Wb3/.f , &vsblYn/ 6 .

/d NRC Document Preparer /Dats 34//f7 Ah-M.I.

7/ResponsibleSectionyanager/Datd 4///89

/

SECTION II Y N Concur Concur with Comments

)() N / ([ ( )

V Nuclear rations /Date

()(d (I ()

VP Nuclear Engineering &

Support /Date

()W) () ()

Site Director /Date

( ) (X) () ()

GGNS General Manager /Date

( ) (A) () (l Director, NPE/Date l

()() ( ) h M' ([( )

i h ctor, h N ear ~

Lic nsing/Date

()() () ()

NRC SUBMITTAL PREPARATION / REVIEW REV. 3 ATTACHMENT IV TO PROCEDURE 1.13 PAGE 1 of 1 SF-SHELL61 - 1 l