Text

Abb System 80+ Design Control Document - Volume 20
	ML22112A079
Person / Time
Site:	LaSalle, 05200002
Issue date:	01/31/1997
From:	; ABB Combustion Engineering
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML20148A597	List: LD-97-014, Transmits Final Version of Sys 80+ Design Control Document (DCD); LD-97-015, Informs That ABB-CE Has Completed Review of Effective Page Listing & Sys 80+ Design Control Document Revs Dtd Jan 1997; ML20148A821; ML22112A037; ML22112A038; ML22112A039; ML22112A042; ML22112A043; ML22112A044; ML22112A045; ML22112A046; ML22112A048; ML22112A049; ML22112A050; ML22112A051; ML22112A052; ML22112A075; ML22112A076; ML22112A077; ML22112A078; ML22112A079; ML22112A081; ML22112A085; ML22112A086; ML22112A088;
References
	NUDOCS 9705090171
	Download: ML22112A079 (1)
	v • d • e

. - - . - .. ._. .. - _ . . - . _ - - - _ . . . . - - . . .

d i

t i

O the System 80+

standardplant 1

e Design Control Document i

iO l Volume 20 \

f 4

4 O A EIR

Combustion Engineering, Inc. M FEW

i O

Copyright C 1997 Combustion Engineering, Inc., ;

The design, engineering and other information contained in this document have been ;

prepared by or for Combustion Engineering, Inc. in connection with its application to the l United States Nuclear Regulatory Commission (US NRC) for design certification of the i System 80+ nuclear plant design pursuant to Title 10, Code of Federal Regulations Part 52, No use of any such information is authorized by Combustion Engineering, Inc.

except for use by the US NRC and its contractors in connection with review and !

approval of such application. Combustion Engineering, Inc. hereby disclaims all responsibility and liability in connection with unauthorized use of such information.

Neither Combustion Engineering, Inc. nor any other person or entity makes any warranty or representation to any person or entity (other than the US NRC in connection with its review of Combustion Engineering's application) concerning such information or its use, except to the extent an express warranty is made bv Combustion Engineering, Inc. to its customer in a written contract for the sale of the goods or services described in this document. Potential users are hereby warned that any such information may be unsuitable for use except in connection with the performance of such a written contract by Combustion Engineering, Inc.

Such information or its use are subject to copyright, patent, trademark or other nghts of Combustion Engineering, Inc. or of others, and no license is granted with respect to such rights, except that the US NRC is authorized to make such copies as are necessary for the use of the US NRC and its contractors in connection with the Combustion Engineering, Inc. app!ication for design certification.

Publication, distribution or sale of this document does not constitute the performance of engineering or other professional services and does not create or establish any duty of care towards any recipient (other than the US NRC in connection with its review of Combustion Engineering's application) or towards any person affected by this document.

For information address: Combustion Engineering, Inc., Nuclear Systems Licensing, 2000 Day Hill Road; Windsor, Connecticut 06095 0

I l

\

System 80+ Design Control Document n

( ). Introduction Certified Design Material 1

1.0 Introduction l 2 2.0 System and Structure ITAAC 3.0 Non-System ITAAC 4.0 Interface Requirements 5.0 Site Parameters ,

Approved Design Material - Design & Analysis 1.0 - General Plant Description 2.0 Site Characteristics 3.0 Design of Systems, Structures & Components-4.0 Reactor 5.0 - RCS and Connected Systems 6.0 - Engineered Safety Features 7.0 Instrumentation and Control 8.0 Electric Power '

9.0 Auxiliary Systems 10.0 Steam and Power Conversion 11.0 Radioactive Waste Management

( 12.0 Radiation Protection 13.0 Conduct of Operations 14.0 Initial Test Program 15.0 Accident Analyses 16.0 Technical Specifications 17.0 Quality Assurance 18.0 Human Factors 19.0 Probabilistic Risk Assessment 20.0 Unresolved and Generic Safety Issues Approved Design Material - Emergency Operations Guidelines 1.0 Introduction 2.0 Standard Post-Trip Actions 3.0 Diagnostic Actions 4.0 - Reactor Trip Recovery 5.0 Loss of Coolant Accident Recovery 6.0 Steam Generator Tube Rupture Recovery ;

7.0 Excess Steam Demand Event Recovery 8.0 Loss of All Feedwater Recovery 9.0 Loss of Offsite Power Recovery 10.0 Station Blackout Recovery 11.0 Functional Recovery Guideline ;

m D;; i

m the System 80+

standardplant Approved Design Material Q Design & Analysis t

4 i

i . ..

Combustion Engineering, Inc.

AC Sources - Operating' B 3.8.1

' B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources - Operating j i BASES I

BACKGROUND The AC Power Sources consist of the.offsite power sources (preferred power) and:the onsite standby power sources- _

i (Division 1 and Division 2 diesel generators). In addition, i .a Combustion Turbine Generator (CTG) which backs up the EDGs '

and provides a diverse on-site AC standby power source. As.

. . required by 10CFR50, Appendix A, General Design Criterion .17 i (Ref. 1), the design of the AC power system provides. ;

-independence and redundancy to ensure an available source of l power to the Engineered Safety Feature (ESF) systems. j The Division 1 and 2 onsite Class IE AC Distribution System i is divided into redundant load groups (divisions) so that :

loss of any one group will not prevent the minimum safety

- functions from being performed. Each division has ,

connections to .two- preferred (offsite) power supplies and to'

. a single diesel generator. However, one diesel generator may be replaced by the CTG if its operation has been

} verified in the past 7 days.

A qualified ' circuit consists of all breakers, transformers, switches, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class IE ESF bus or buses. The AC Distribution System consists of four (4) qualified circuits.

Independent transmission lines supply offsite power to

- Preferred Switchyards I & II. Preferred Switchyard I feeds the Unit Main Transformer (UMT) and Preferred Switchyard II feeds the Reserve Auxiliary Transformers (RATS). The UMT transforms [230 kV] to [24 kV]. This [24 kV] is fed to two Unit Auxiliary Transformers (UATs). These UATs each provide !

4 power to their respective separate switchgear groups X and ;

Y.

t UATs are the normal preferred source of power to the [4160 volt] emergency buses. X-VAT provides the power to Division i

1. emergency buses and Y-UAT provides the power to Division 2 !

f emergency buses. -Backup offsite power for either or both l the emergency buses is provided through the RATS (1 per If offsite power is not available, the emergency division).

y (continued) 1

' SYSTEM 80+ .

B 3.8-1 Rev. 00 116A Tech Spec Bases. i

l AC Sources - Operating B 3.8.1 O

i BASES BACKGROUND buses are supplied from their respective diesel generator, (continued) (DG). DG1 supplies power to Division 1 emergency buses and DG2 supplies power to Division 2 emergency buses. In addition, power can be supplied to any one emergency bus from the CTG when a DG is inoperable.

Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the transformer supplying offsite power to the onsite Class IE Distribution System. Within [1 minute] after the initiating signal is received, all automatic and permanently connected loads needed to recover the unit or maintain it in a safe condition are returned to service via the load sequencer.

If power were lost from either VAT, undervoltage relays would sense this condition. The electrical system would then attempt to transfer to the backup preferred source (the associated RAT). The transfer to the associated RAT will occur on the affected permanent non-safety bus. If power is not available from the backup preferred source, the DG is automatically used to power the associated emergency buses.

The onsite standby power source for each division ESF bus is a dedicated DG. The DGs start automatically on a Safety Injection Actuation Signal (SIAS) or on a loss of voltage (LOV) on the respective emergency buses. Even though the DGs are started on SIAS, they will not power the emergency buses unless the offsite sources of power are unavailable.

The DG automatically ties to its buses on a LOV condition on that bus with offsite power unavailable.

Following the trip of offsite power, [a sequencer /an undervoltage signal] strips nonpermanent loads from the ESF buses. When the DG is tied to the ESF buses, loads are then sequentially connected to its respective ESF buses by the automatic load sequencer. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading the DG by automatic load application.

In the event of a loss of preferred power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a loss of coolant accident (LOCA).

(continued) i i

SYSTEM 80+ B 3.8-2 Rev. 00 l 16A Tech Spec Bases )

l

AC Sources - Operating l B 3.8.1 BASES BACKGROUND Certain required unit loads are returned to service in a (continued) predetermined sequence in order to prevent overloading the DG in the process. Within [1] minute after the initiating signal is received, all loads needed to recover the unit or maintain it in a safe condition are returned to service.

In accordance with Regulatory Guide 1.9 (Ref. 2), diesel generators 1 and 2 have [6067] kW continuous and [6674] kW two-hour load ratings. The diesel generators are rated at

[4160 volts), three phase, 60 Hz, and are capable of attaining required frequency and voltage within twenty seconds after receipt of a start signal (Ref. 3). The ESF systems which are powered from divisional power sources are listed in Reference 3.

The CTG is a diverse and independent non-Class IE on-site power source provided for coping with a Station Blackout (SBO) and a Loss of Offsite Power (LOOP) scenarios. The CTG is located within the protected area and it will start ,

automatically, within [2] minutes from the onset of a LOOP i event. In addition, the CTG is automatically connected to

(]

(,- the de-engergized 4.16 kV Permanent Non-Safety buses.

Alignment to the Class IE ESF buses is accomplished from the control room. The CTG is sized to accommodate one Safety Division loads for a worst case unit shutdown to cold shutdown and/or DBA and one division of Permanent Non-Safety loads.

The CTG is Quality Class 2 and is designed with a High l Confidence of Low Probability of Failure (HCLPF) value that l provides assurance that the CTG will be available to back up j the DGs for seismic events on the order of the design basis ,

earthquake of .39 (Ref.15). This robust design includes i the enclosure and the support systems of the CTG.

1 Other external events which could affect CTG availability as I a backup to the DG are hurricanes and tornados. Due to l early warning systems the plant will be required to shut !

down as a hurricane approaches. For the tornado it is l assumed the CTG will not be available. 1 I

1 n i i

V (continued) l SYSTEM 80+ B 3.8-3 Rev. 00 16A Tech Spec Bases ,

1 j

l AC Sources - Operating B 3.8.1 O

BASES BACKGROUND A PRA for the CTG's contribution to core damage frequency (continued) (CDF) was performed. This PRA provides an assurance that the CTG can be substituted for the DG without adversely impacting the CDF for internal events and tornado strikes.

APPLICABLE The initial conditions of DBA and transient analyses in SAFETY ANALYSES Chapters 6 (Ref. 4) and 15 (Ref. 5) assume ESF systems are OPERABLE. The AC Power System is designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These design limits are discussed in more detail in the Bases for LC0 Sections 3.2 (Power Distribution Limits), 3.4 (Reactor Coolant System),

and 3.6 (Containment Systems).

In general, the safety analysis considered offsite power to be available to ESF equipment following event initiation.

Offsite power is not considered to be safety-related. A loss of offsite power (LOOP) alone is an analyzed event since it presents a challenge to the plant's safety features ,

and would result in a total loss of AC power if the diesel generators failed to start.

The OPERABILITY of an offsite AC source is not explicitly l required by the safety analyses. Therefore, the need for two qualified circuits was not derived from the safety analysis, since events postulating failure of offsite power ,

I considered a complete loss of offsite power. Such events disable all offsite circuits. The requirement for two qualified circuits was derived from the design criteria (Ref. 1) and standards incorporated into the plant design, which required redundant, independent offsite power sources.

l (continued)

I SYSTEM 80+ B 3.8-4 Rev. 00 16A Tech Spec Bases l

AC Sources - Operating B 3.8.1 g

V BASES _

APPLICABLE The OPERABILITY of the AC electrical power sources is SAFETY ANALYSES consistent with the initial assumptions of the accicent (continued) analyses and is based upon maintaining at least one division of the AC and DC Power Sources and associated distribution systems OPERABLE during accident conditions in the event of (1) an assumed loss of all offsite or all onsite AC power, and (2) a worse case single failure.

The AC sources satisfy Criterion 3 of the NRC Policy Statement.

LC0 Two qualified circuits (Ref. 3) between the offsite transmission network and the onsite Class 1E AC Distribution System, and the two independent diesel generators (Ref. 3) each capable of supplying one division of the onsite Class 1E AC Distribution System, ensure availability of the required power to shutdown the reactor and maintain it in a safe shutdown condition after an anticipated operational occurrence (A00) or a postulated design basis accident

[]

V (DBA).

Qualified offsite circuits are those that are described in Chapter 8 and are part of the licensing basis for the unit.

Each offsite circuit must be capable of maintaining required frequency and voltage, and accepting required loads during an accident, while connected to the ESF buses.

The two circuits from offsite are physically independent such that a single component fault (e.g., breaker trip) will not cause both power sources to be lost to one or more [4160 volt) emergency buses. Thus, a physically independent circuit consists of one incoming line to the [230 kV]

(Preferred Switchyard Interface I) switchyard, a circuit path (including breakers and disconnects) to one energized UAT (X or Y), and a circuit path from the energized UAT to the associated [4160 volt] emergency buses. A physically independent circuit also consists of the incoming line to the Preferred Switchyard Interface II, a circuit path (including breakers and disconnects) to the one enargized RAT (Division I or II), and a circuit path from th energized RAT to its 4160 volt emergency buses. Et.

(continued)

SYSTEM 80+ B 3.8-5 Rev. 00 ItA Tech Spec Bases

AC Sources - Operating B 3.8.1 O

BASES LCO division contains an automatic load sequencer to control (continued) sequencing of Accident or Loss-of-Offsite Power loads.

Therefore, the AC Power System has a total of four (4) qualified circuits between the offsite transmission network and the onsite Class IE AC Distribution System, two circuits per division.

Inoperable AC sources do not necessarily result in inoperable components (which are designed to receive power from that source) unless specifically directed by Required Actions (refer to LC0 3.0.7).

Each li3 must be capable of starting, accelerating to requi9ed speed and voltage, and connecting to its respective ESF bas on detection of bus undervoltage. This will be accomplished within 20 seconds. Each DG must also be capable of accepting required loads within the assumed

- 1ading sequence intervals, and continue to operate until offsite power can be restored to the ESF buses. These ,

capabilities are required to be met from a variety of '

initial conditions such as DG in standby with the engine hot, DG in standby with the engine at ambient conditions, and DG operating in a parallel test mode. Proper sequencing i of loads, including tripping of nonessential loads, is a i required function for DG OPERABILITY. l Certain diesel generator support systems are addressed in other LCOs. During inoperabilities in these support systems, inoperable diesel generators do not necessarily result unless specifically directed by Required Actions.

This is in accordance with LC0 3.0.7.

APPLICABILITY The AC Power Sources and sequencers are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant l pressure boundary limits are not exceeded as a result of anticipated operational occurrences or abnormal transients; and (continued)

SYSTEM 80+ B 3.8-6 Rev. 00 16A Tech Spec Bases

AC Sources - Operating B 3.8.1 O .

BASES APPLICABILITY. b. Adequate core cooling is provided, and containment

'(continued) OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

AC Power Source requirements for MODES 5 and 6'are addressed

'in LCO 3.8.2, "AC Sources - Shutdown".

ACTIONS A.I. A.2. and A.3 I With one of the required offsite circuits inoperable, q

sufficient offsite power is available from the other required offsite circuit to ensure that the unit can be maintained in a safe shutdown condition following a design

! basis transient or accident. Even failure of the remaining

! required offsite circuit will not jeopardize a safe shutdown of the unit because of the redundant standby diesel i generator which is backed up bv the CTG, However, since system reliability is degraded below the LCO requirements, a time limit'on continued operation is imposed. To ensure a aO

- highly reliable power source remains, it is necessary to verify the OPERABILITY _of the remaining required offsite 4 )

circuit on a more frequent basis.

c Since the' Required Action only specifies " perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if a second required circuit fails SR 3.8,1.1, the second offsite circuit is inoperable, and Condition C, for two offsite circuits inoperable, is entered.

The specific list of features encompassed by Required Action A.2 is provided in Reference B. These features are those

' which are designed with redundant safety-related divisions.

Single division systems are not included. Since the Completion Time allowance for this Required /.ction is i limited to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , those systems with allowed Completion Times a to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for both divisions inoperable are not included as required features to be checked. Twenty-four hours is acceptable because- it minimizes. risk while allowing time for restoration before subjecting the unit to )'

transients associated with shutdown. The remaining OPERABLE offsite circuit- and DGs are adequate to supply electrical power to Division 1 and Division 2 of the onsite Class IE AC (continued)

SYSTEM'80+ _

B 3.8-71 Rev. 00 16A. Tech: Spec Bases ,

AC Sources - Operating B 3.8.1 O

BASES ACTIONS A.I. A.2. and A.3 (continued)

Distribution System. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature.

Additionally, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period. Required Action A.2, which only applies if the division cannot be powered from an offsite source, is intended to provide assurance that an event with a coincident single failure of the associated diesel generator will not result in a complete loss of safety function of critical systems. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal " time zero" for beginning the allowed outage time " clock". In this Required Action, the Completion Time only begins on discovery that both: 1) the division has no offsite power supplying its loads, and 2) a required feature on the other division is inoperable. If at any time during the existence of this Condition (one offsite circuit inoperable) a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

According to Regulatory Guide 1.93 (Ref. 8), operation may continue in Condition A for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In this Condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class IE AC Distribution System.

The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is antered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This could lead to a total of 144 hours0.00167 days 0.04 hours 2.380952e-4 weeks 5.4792e-5 months , as a result of initial failure to meet the LCO, to restore the (continued)

SYSTEM 80+ B 3.8-8 Rev. 00 16A Tech Spec Bases

. . - - .. .. ..- . - . . . ~ . - . . - . - - . . - -

l i

AC Sources - Operating ,

B 3.8.1 .;

BASES ACTIONS A.I. A.2. and A.3 (continued)' l offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional .

72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (for a total of 9 days) would be allowed prior to ;

complete restoration of the LCO. The 6 day Completion Time provides a limit on the time allowed in a specified .

condition after discovery of failure-to meet the LCO. This-limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The " Ngl" l connector between the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 6 day _ Completion Times means that both Completion Times apply simultaneously, and i the more restrictive Completion Time must be met.

o 1 As in Requirea Action A.2, the Completion Time allows for an exception to the normal " time zero" for beginning the !

allowed outage time ." clock." This will result in !

establishing the " time zero" at the time that the LCO was !

initially not met, instead of at the time Condition A was :

entered. ;

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the capacity l and capability of the remaining AC sources, a reasonable !

time for repairs, and the low probability of a DBA occurring ;

during this period.

B.1. B.2. B.3.1. and B.3.2 l To ensure a highly reliable offsite power source remains with an inoperable DG, it is necessary to verify the availability of the offsite circuits on a more frequent basis. Since the Required Action only specifies " perform,"

a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions must then be entered.

The specific list'of features encompassed by Required Action B.2 is provided in Reference 8. These features are those

~

which are designed with redundant safety related divisions.

]

Single division systems are not included. Since the i Completion Time allowance for this Required Action is limited to four hours, those systems with allowed Completion (continued)

-SYSTEM BO+ -

B 3.8-9 Rev. 00

. 16A Tech Spec Bases n.

+

i AC Sources - Operating B 3.8.1 O

BASES ACTIONS B.1. B.2. B.3.1. and B.3.2 (continued)

Times a four hours for both divisions inoperable are not included as required features to be checked. Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that a diesel generator isinoperable, will not result in a complete loss of safety function of critical systems. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal " time zero" for beginning the allowed outage time " clock." In this Required Action, the Completion Time only begins on discovery that both: 1) an inoperable diesel generator exists, and 2) a required feature on the other division is inoperable. This will result in establishing the " time zero" at the time that the LC0 was initially not met, instead of at the time Condition B was entered. If at any time during the existence of this Condition (one diesel generator inoperable) a required feature subsequently becomes inoperable, this Completion Time would begin to be tracked.

The Completion Time is based on engineering judgement taking into consideration the probability of a loss of offsite power occurring while the other division (1 or 2) DG is inoperable. This is comparable to, but less severe than Condition E (both DGs inoperable) and therefore has a comparable, but less restrictive, Completion Time.

Discovering one required DG inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE DG, results in starting the Completion Time for the Required Action.

Four hours from the discovery of these events existing concurrently, is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

In this Condition, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class IE Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time (continued)

SYSTEM 80+ B 3.8-10 Rev. 00 16A Tech Spec Bases

AC Sources - Operating B 3.8.1 BASES ACTIONS B.1. B.2. B.3.1. and B.3.2 (continued) takes into account the capacity and capability of the recaining AC sources, a reasonable time for repairs, and the lew probability of a DBA occurring during this period.

The Note in Condition B requires that Required Action B.3.1 or B.3.2 must be completed if Condition 8 is entered. The intent is that all DG inoperabilities must be investigated for common cause failures regardless of how long the DG inoperability persists.

Required Action B.3.1 provides an allowance to avsid unnecessary testing of OPERABLE DGs. If it ca;i be determined that the cause of the inoperable DG does not exist on the OPERABLE DG, SR 3.8.1.2 does not have to be i performed. If the cause of inoperability exists on other '

DG(s), the other DG(s) would be declared inoperable upon discovery and Condition E of LC0 3.8.1 would be entered.

Once the failure is repaired, the common cause failure no Jp longer exists and Required Action B.3.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed

'Q~ not to exist on the remaining DG(s), performance of SR 3.8.1.2 suffices to provide assurance of continued OPERABILITY of that DG. ,

l According to Generic Letter 84-15 (Ref. 9), 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is !

reasonable to confirm that the OPERABLE DG(s) is not l affected by the same problem as the inoperable DG. )

B.4. B.S. and B 6 Required Actions B.4 and B.5 verify the CTG to be functional and capable of being aligned to the ESF buses. These actions ensure the CTG is available as an on-site power source. In accordance with Regulatory Guide 1.93 (Ref. 8),

operations may continue for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months without an OPERABLE DG; however, with a functional CTG capable of alignment to the ESF buses operation may continue for 14 days.

The CTG must be started and achieve required steady voltage and frequency within [2] minutes. In addition, alignment of the circu'.t must be verified within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter. This action ensures the following: (1) ,

,p j (continued) l SYSTEM 80+ B 3.8-11 Rev. 00 1 16A Tech Spec Bases l

AC Sources - Operating B 3.8.1 O

BASES ACTIONS B.4. B.S. and B.6 (continued) the circuit from the CTG to the ESF buses is available, (2) the operator is familiar with the breaker alignment required to supply the ESF buses from the CTG, and (3) any misalignment of the circuit can be identified and corrected.

In Condition B, if the CTG is not available, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class IE Distribution System.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

In Condition B, if the CTG is available, the 14 day Completion Time of Required Action B.6 takes into account the ability of the CTG to automatically start and to be aligned to the ESF buses in (10] minutes. (See the Background section for a discussion of the CTG.)

The second Completion Time for Required Action B.6 establishes a limit on the maximum time allowed for any h

combination of required AC power sources to be inoperable during any single cortiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently returned OPERABLE, the LC0 may already have been not met for t:p to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This could lead to a total of 17 days, since initial failure to meet the LCO, to restore the DC. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (for a total of 20 days) allowed prior to complete restoration of the LCO. The 15 day Completion Time provides a limit on time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 14 day and 15 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

(continued)

SYSTEM 80+ B 3.8-12 Rev. 00

-16A Tech Spec Bases

. . . . . . - . . - - . ..- . - - . - . ~ . . . - . _ . _._ .. - _ ~ . . - - . - -.. - - - .. -

f 0

AC Sources - Operating B 3.8.1-

~ BASES 1

ACTIONS B.4. B.5. and B.6 (continued) l As in Required Action B.2, the Completion Time allows for an

. exception to the normal " time zero" for beginning the allowed time " clock", This will result in establishing the

" time zero" at the time that the LCO was initially not met, instead of at the time Condition B was entered. .

C.1 and C.2 Required Action C.1, which applies when two offsite circuits are inoperable, is intended to provide assurance that an ,

event with a coincident single failure will not result in a complete loss of redundant required safety functions. The :

Completion Time for this failure of redundant required features is reduced to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months from that allowed for one division without offsite power (Required Action A.2). The rationale for the reduction to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is that Regulatory !

Guide 1.93 (Ref. 8) allows a Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for two required offsite circuits inoperable, based upon the i

" assumption that two complete ssfety divisions are OPERABLE.

When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion ,

Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is appropriate. These features are powered from redundant AC safety divisions. ;

I l

The specific list of features encompassed by Required Action C.1 is provided in Reference 8. These features are those which are designed with redundant safety-related divisions.

Single division systems are not included. Since the l Completion Time allowance for this Required Action is limited to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , those systems with allowed Completion Times a to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for both divisions inoperable are not included as required features to be chacked. The

- requirement is intended to provide assurance should a coincident single failure of a diesel generator occur during i the period with two offsite circuits inoperable, a complete loss of safety function of critical systems will not result. r The Completion Time for Required Action C.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also

- allows for an exception to the normal " time zero" for O (continued) ,f (SYSTEM 80+ B 3.8-13 Rev. 00 16A Tech Spec-Bases

'7 *- tl !p

l I

l AC Sources - Operating B 3.8.1 ,

I BASES ACTIONS C.1 and C.2 (continued) l beginning the allowed outage time " clock." In this Required Action, the Completion Time only begins on discovery that both- l

a. Two required offsite circuits are inoperable; and

b. A required feature is inoperable.

If at any time during the existence of Condition C (two offsite circuits inoperable) a required feature becomes 1 inoperable, this Completion Time begins to be tracked. The Completion Time is based on engineering judgement taking into consideration the probability of an event concurrent with a single failure of a diesel generator occuring (on the division opposite to the inoperable feature) while two offsite circuits are inoperable. During this time this ,

Condition exists (two offsite circuits inoperable), l Condition A also exists concurrently for each of the 1 inoperable offsite circuits independently. The Required l Actions and associated Completion Times apply as discussed previously. This may result in more restrictive requirements for restoration and/or cross-divisional feature OPERABILITY checks.

According to Regulatory Guide 1.93 (Ref. 8), operation may continue in Condition C for a period that should not exceed 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degradeci and are available to maintain the unit in a safe shutdown condition in the event of a DBA or transient. This level of degradation generally corresponds to a total loss ,

of the immediately accessible offsite power sources. l Because of the normally high availability of the offsite l sources, this level of degradation may appear to be more severe than other combinations of two AC sources inopera.ble that involve one or more DGs inoperable. However, two factors tend to decrease the severity of this level of i degradation-l l

(continued)

SYSTEM 80+ B 3.8-14 Rev. 00 16A Tech Spec Bases

I AC Sources - Operating ;

B 3.8.1 >

O i BASES ACTIONS C.1 and C.2 (continued)

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failute; and ,

b. The time required to detect and restore an unavailable offsite power source is generally much less than that '

required to detect and restore an unavailable onsite AC source.

With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a DBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an '

AC electrical power system capable of meeting its design O, criteria.

In accordance with Regulatory Guide 1.93 (Ref. 8), with the available offsite AC Electrical Power Sources two less than required by the LCO, operation may continue for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

If two offsite sources are restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , '

unrestricted operation may continue. If only one offsite source is restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , power operation continues in accordance with Condition A. If no offsite circuit is restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , or, if either inoperable offsite circuit is not restored within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months of its initialy inoperability in accordance with Condition A Which may occur, in some cases, prior to the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Coupletion Time) a controlled shutdown must be initiated per R9 quired Action G.I.

D.l. D.2. D.3. and 0.4 Pursuant to LC0 3.0.6, the Distribution System ACTIONS would !

not be entered even it' all AC sources to it were inoperable i resulting in de-energization. Therefore, the Required !

Actions of Condition D are modified by a Note to indicate that when Condition D is entered with no AC source to one n

V (continued)

]

i

~ SYSTEM 80+' B 3.8-15 Rev. 00 l 1 16A Tech Spec Bases ;

i

AC Sources - Operating B 3.8.1 0

BASES ACTIONS D.1. D.2. D.3. and 0.4 (continued) l division, the Conditions and Required Actions for LC0 3.8.9,

" Distribution Systems - Operating," must be immediately 1 entered. This allows Condition D to provide requirements l for the loss of one offsite circuit and one DG without !

regard to whether a division is de-energized. LCO 3.8.9 provides the appropriate restrictions for a de-energized division. This will continue to provide common mode failure considerations for the inoperable diesel generator, cross l divisional features OPERABILITY considerations, and provide the appropriate time limit for continued operation while repairs are being attempted.

In Condition D, individual redundancy is lost in both the offsite power system and the onsite Division 1 or 2 AC Power System. However, since power system redundancy is provided by two diverse sources of power and the CTG is available, the reliability of the power systems in this Condition may appear higher than Condition C (loss of both required offsite circuits). This difference in reliability is offset ;

by the susceptibility of this power system configuration to 1 a single bus or switching failure. The 36 hour4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the '

l low probability of a DBA occurring during the period.

1 Required Actions D.1 and D.2 verify the CTG to be functional l and capable of being aligned to the ESF buses. These i actions ensure the CTG is available as an on-site power source. In accordance with Regulatory Guide 1.93 (Ref. 8),

operations may continue for 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months without an OPERABLE DG; however, with a functional CTG capable of alignment to the ESF buses operation may continue for 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

The CTG must be started and achieve required steady state voltage and frequency within [2] minutes. In addition, alignment of the circuit must be verified within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter.

In Condition D, if the CTG is not available the inoperable l DG or offsite circuit must be returned to OPERABLE status within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months or Condition G must be entered. The 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occuring during this period.

(continued) 9 j l

SYSTEM 80+ B 3.8-16 Rev. 00 16A Tech Spec Bases l

I AC Sources - Operating >

B 3.8.1 !

D BASES j

i

!' ACTIONS 0.1. D.2. D.3. and D.4 -(continued)

In Condition D, with the CTG available, the 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months j;

Completion Time of Required Actions D.3 and D.4 takes into account the ability of the CTG to automatically start and to be aligned to the ESF buses in [10] minutes. (See the 3 Background section for a discussion of the CTG.) :

t .

L1 ;

With two required diesel generators inoperable, insuffmant i f, standby AC Power Sources are available to power the minimum l required ESF functions. Since the offsite power system is the only source of AC power for this level of degradation, j the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown (i.e, the immediate shutdown r could cause grid instability which could result in total loss of AC power). However, since.any inadvertent generator trip could also result in total loss of AC power, the time O allowed for continued operation is severely restricted. The intent here is not~ only to avoid the risk associated with an immediate controlled shutdown but also to minimize the risk' associated with this level of degradation. During the time this condition exists (both DGs inoperable), Condition B also exists concurrently for each of the inoperable DGs independently. The Required Actions and associated Completion Times ~ apply as discussed previously. This will continue to provide common mode failure considerations, cross-divisional feature OPERABILITY, and the appropriate time limit for continued operation while repairs are being attempted.

Per Regulatory Guide 1.93 (Ref. 8), with the available standby AC electrical supplies two less than the LCO, i operation may continue for a period that should not exceed two hours, i

f.d -

The sequencers are an essential _ support system to [both the offsite circuit and the DG associated with a given ESF bus).

[Furthermore, the sequencer is on the primary success path 4 (continued) i SYSTEM 80+- B 3.8-17 Rev. 00 ,

16A Tech Spec Bases-

AC Sources - Operating B 3.8.1 O

BASES ACTIONS f_d (continued) for most major AC electrically powered safety systems powered from the associated ESF bus.] Therefore, loss of an [ESF bus sequencer) affects every major ESF system in the division. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining sequencer OPERABILITY. This time period also ensures that the probability of an accident (requiring sequencer OPERABILITY) occurring during periods when the sequencer is inoperable is minimal.

G.1 and G.2 The plant must be placed in a MODE in which the LC0 does not apply if the Required Actions and associated Completion Times cannot be met. This is done by placing the plant in at least MODE 3 in six hours and in MODE 5 in 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable based on operating experience to reach the required MODES from full power without challenging plant systems.

LL1 With three or more required AC sources inoperable, insufficient AC sources remain available to ensure safe shutdown of the unit in the event of a transient or accident with any additional single failure. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Immediately is used as an administrative means of not allowing any extension of the LC0 3.0.3 shutdown requirements.

SURVEILLANCE The AC Power Sources are designed to permit inspection and REQUIREMENTS testing of all important areas and features, especially those which have a standby function, in accordance with 10 CFR 50, Appendix A, General Design Criteria 18 (Ref.10).

Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions). The Surveillance Requirements for demonstrating the OPERABILITY of the diesel generators are (continued)

SYSTEM 80+ B 3.8-18 Rev. 00 16A Tech Spec Bases

i AC Sources - Operating i B 3.8.1 BASES SURVEILLANCE in accordance with the recommendations of Regulatory Guide REQUIREMENTS 1.9 (Ref. 2), 1.108 (Ref. 11), and 1.137 (Ref. 12), as (continued) addressed in Chapter 8. l 4

Where the SRs discussed herein specify voltage and frequency tolerances, the following is applicable. The minimum steady state output voltage of [3740] V is 90% of the nominal

[4160] V output voltage. This value, which is specified in ANSI C84.1-1982 (Ref. 6), allows for voltage drop to the terminals of 4000 V motors whose minimum operating voltage is specified as 90% or 3600 V. It also allows for voltage drops to motors and other equipment down through the 120 V level where minimum operating voltage is also usually '

specified as 80% of name plate rating. The specified maximum steady state output voltage of [4576] V is equal to the maximum operating voltage specified for 4000 V motors.

It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000 V motors is no more than the maximum required operating voltages. The specified minimum and maximum frequencies of the DG are [58.8] Hz and j

[61.2] Hz, respectively. These values are equal to 2% of .

(/~

the 60 Hz nominal frequency and are derived from the I recommendations given in Regulatory Guide 1.9 (Ref. 2).

The Surveillance Requirements are proceeded by a Note. The Note provides a list of SRs for which SR 3.0.2 is not applicable. The Frequency of these SRs is 24 months with no automatic extension. This is a conservative time period for performing the Surveillances and accounts for an 18 month fuel cycle with typical maintenance outage lengths and schedules. This 24 month Frequency provides sufficient time for maintenance and testing of the DG's to be performed without impacting outage scheduling or DG availability ,

during all MODES of operation. More specifically, the 24 l months provides the flexibility to schedule Surveillances to ensure DG OPERABILITY can be maintained and will preclude, l during shutdown (MODE 5 and 6), requiring the OPERABLE DG '

l

from being paralleled with the required offsite power network when they are required AC sources.

0

( V (continued)

SYSTEM 80+ B 3.8-19 Rev. 00 16A_ Tech Spec Bases

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.1 REQUIREMENTS (continued) This Surveillance Requirement assures proper circuit continuity for the offsite AC power supply to distribution network and availability of offsite AC power. The breaker alignment verifies that each breaker is in its correct position to ensure distribution buses and loads are connected to their preferred power source and independence of offsite circuits is maintained. The 7 day Frequency is adequate since breaker position is not likely to change without the operator being aware of it and because status is displayed in the control room.

SR_3,8.1.2 and SR 3.8.1.7 These surveillances help to ensure the availability of the standby power supply to mitigate design basis accidents and transients and maintain the unit in safe shutdown conditions. To minimize the wear on moving parts that do not get lubricated when the engine is not running, these SRs are modified by a Note (Note 2 for SR 3.8.1.2) to indicate that all DG starts for these Surveillances any be preceded by an engine prelube period and followed by a warmup period prior to loading by an engine prelube period. For the purpose of this testing, the diesel generators shall be started from standby conditions. Standby conditions in this case means the diesel engine coolant and oil are being continuously circulated and temperature maintained consistent with manufacturer recommendations.

In order to reduce stress and wear on diesel engines, some manufacturers reconnend a modified start in which the starting speed of DGs is limited, warmup is limited to this lower speed, and the DGs are gradually accelerated to synchronous speed prior to loading. This is the intent of Note 3, which is only applicable when such modified start procedures are recommended by the manufacturer.

SR 3.8.1.7 requires, on a 184 day Frequency, the diesel generators start from standby conditions and achieve required voltage and frequency within 20 seconds. The 20 second requirement supports the assumptions in the design basis loss of coolant accident (LOCA) analysis (Ref. 5).

(continued)

SYSTEM 80+ B 3.8-20 Rev. 00 ;

16A Tech Spec Bases l l

AC Sources - Operating B 3.8.1

-(

BASES SURVEILLANCE SR 3.8.1.2 and SR 3.8.1.7 (continued)

REQUIREMENTS The 20 second start requirement is not applicable to SR 3.8.1.2 which is performed on a Frequency specified in Table 3.8.1-1.

If a modified start is not used, 20 second start requirement of SR 3.8.1.7 applies. Since SR 3.8.1.7 requires a 20 second start, it is more restrictive than SR 3.8.1.2, and it may be performed in lieu of SR 3.8.1.2. This is the intent of Note 1 of SR 3.8.1.2.

The normal 31 day Frequency for SR 3.8.1.2 (see Diesel Generator Test Schedule, Table 3.8.1-1) is consistent with Regulatory Guide 1.9 (Ref. 2). The 184 day Frequency for SR 3.8.1.7 is a reduction in cold testing consistent with Generic Letter 84-15 (Ref. 9). These Frequencies provide adequate assurance of diesel generator OPERABILITY while minimizing degradation resulting from testing.

(h

,U SR 3.8.1.3 This Surveillance verifies that the diesel generators are capable of synchronizing and accepting a the equivalent of the maximum expected accident loads. The 60-minute run time for the diesel generator (required by Ref. 2) is to stabilize the engine temperature. This will ensure that cooling and lubrication are adequate for extended periods of l operation while minimizing the time that the diesel generator is connected to the offsite power source. 1 1

Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between [0.8 lagging) and [1-.0]. The [0.8] value is the i design rating of the machine, while [1.0] is an operational limitation (to ensure circulating currents are minimized].

1 The normal 31 day Frequency for this Surveillance (see i Diesel Generator Test Schedule) is consistent with Regulatory Guide 1.9 (Ref. 2). l This Surveillance is modified by four Notes. The first Note allows gradual (manual) loading as recommended by the manufacturer to minimize stress and wear on the diesel (continued) a SYSTEM 80+ 0 3.8-21 Rev. 00 16A Tech Spec _ Bases

AC Sources - Operatin9 g 3,3,1 BASES SURVEILLANCE SR 3.8.1.3 (continued)

REQUIREMENTS engine (Ref. 9). The second Note allows momentary transients due to changing bus loads to not invalidate the test. Similarly, momentary power factor transients above the limit will not invalidate the test. The third Note requires that this Surveillance be conducted on only one diesel generator at a time. This will avoid a total loss of AC power due to a common cause failure in the offsite circuits or a perturbation on the grid. Note 4 stipulates a prerequisite requirement for performance of this SR. A successful DG start must precede this test to credit satisfactory performance.

SR 3.8.1.4 This SR provides verification that the level of fuel oil in I the day tank [and engine mounted tank] is at or above the level at which fuel oil is automatically added. The level is expressed as an equivalent volume in gallons, and is selected to ensure adequate fuel oil for a minimum of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of DG operation at full load plus 10%. l The 31 day Frequency is adequate to assure that a sufficient supply of fuel oil is available, since low level alarms are provided and unit operators would be aware of any large uses i of fuel oil during this period. i SR 3.8.1.5 4

Microbiological fouling is a major cause of fuel oil degradation There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel oil day tanks once every 31 days eliminates the necessary envircnment for bacterial survival. This is the most effective means of controlling microbiological fouling.

In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and from breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and (continued)

SYSTEM 80+ B 3.8-22 Rev. 00 16A Tech Spec Bases

1 AC Sources - Operating B 3.8.1 BASES 1

SURVEILLANCE SR' 3.8.1.5 (continued)

REQUIREMENTS provides data regarding the watertight integrity of the-fuel J oil system. _-The Surveillance Frequencies are established by Regulatory Guide 1.137 (Ref.12). This SR is for preventive maintenance. The presence of water-does not necessarily.

represent failure of this SR provided the accumulated water is removed during the performance of this Surveillance.

l l

SR 3.8'.1.6 This Surveillance demonstrates that each required fuel oil i transfer valve operates and allows fuel oil to transfer by l i

gravity from its associated storage tanks to its associated day tank.- This is required to support continuous operation of. standby power sources. This Surveillance provides assurance that the fel oil transfer valve is OPERABLE, the-fuel oil piping syst y, is intact, the fuel delivery piping is not obstructed, and the controls and control systems for I automatic fuel transfer systems are OPERABLE.

A 92 day Frequency corresponds to the Inservice Testing requirements for the transfer valves; however, the design of fuel transfer systems is such that the transfer valves will operate automatically or a valve in the bypass line must be '

operated manually in order to maintain an adequate volume of '

fuel oil in the DG day tank during or following DG testing.

In such'a case, a 92 day Frequency is appropriate.

SR 3.8.1.7 See SR 3.8.1.2.

SR 3.8.1.8 Transfer of each (4160 volt) emergency bus power supply from i the normal preferred offsite circuit to the alternate l preferred offsite circuit demonstrates the OPERABILITY of the alternate circuit distribution network to feed the ;

i shutdown loads. The 24 month Frequency of the Surveillance .

-is based on engineering judgment taking.into consideration

! ' the plant conditions required to perform the surveillance, t

O (continued) .

s SYSTEM 80+ B 3.8-23 Rev. 00

<- 16A Tech Spec Bases

AC Sources - Operating B 3.8.1 O

BASES SURVEILLANCE SR 3.8.1.8 (continued)

REQUIREMENTS and is intended to be consistent with expected fuel cycle lengths. Also, operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This Surveillance is modified by two Notes. The first Note prohibits performance of this Surveillonce in MODE 1 or 2.

Performance of this surveillance could result in perturbations to the electrical distribution system and cause a challenge to continued steady-state operation in MODES 1 or 2. Therefore, this Surveillance must be performed in MODES 3, 4, 5, or 6. The second Note allows credit to be taken for unplanned events that satisfy this Surveillance Requirement.

SR 3.8.1.9 The diesel generators are provided with an engine overspeed ,

trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the l diesel generator load response characteristics and capability to reject the largest single load without exceeding predetermined voltage and frequency limits, which maintains a specified margin to the overspeed trip. The ;

largest single load on the emergency buses corresponds to a Component Cooling Water Pump (1250 BHP, 1037kW) (Ref. 3).

As required by IEEE 308 (Ref.14), the load rejection test 1 is acceptable if the increase in the speed of the diesel l does not exceed 75% of the difference between nominal speed '

and the overspeed trip setpoint, or 15% above nominal, whichever is lower. This represents (63] Hz, equivalent to 1 75% of the difference between nominal speed and the I overspeed trip setpoint. l The time, voltage, and frequency tolerances specified in i this SR are derived from Regulatory Guide 1.9 (Ref. 2) recommendations for response during load sequence intervals.

The [3] seconds specified is equal to 60% of a typical 5 ,

second load sequence interval associated with sequencing of l (continued)

SYSTEM 80+ B 3.8-24 Rev. 00 16A Tech Spec Bases

1 AC Sources - Operating i

. B 3.8.1 !

O BASES

!! LSURVEILt.ANCE SR 3.8.1.9 (continued)

REQUIREMENTS _

F the largest load. The voltage and frequency specified are :

consistent with the design range of the equipment powered by )

, the diesel generator. SR 3.8.1.9.a corresponds to the i '

i maximum frequency excursion while SR 3.8.1.9.b and SR-

3.8.1.9.c are steady state voltage and frequency values that ;

2 the system must recover to following load rejection. The 24 :'

month Frequency is consistent with the recommendations of Regulatory Guide 1.108 (Ref.11) (expected fuel cycle lengths)..

In order to ensure that the DG is tested under load i conditions that are as close to design basis conditions as l possible, testing must be performed using a power factor ,

s [0.9]. This power factor is chosen to be representative i

.of the actual design basis inductive loading that the DG would experience. !

This SR is modified by two Notes. The reason for Note 1 is that during operation with the reactor critical, performance j O of this SR could cause perturbations to the electrical distribution systems that could challenge continued steady 1

state operation and, as a result, unit safety systems.

Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.10 This Surveillance demonstrates the diesel generator capability to reject a full load without overspeed tripping f or exceeding the predetermined voltage limits. The l generator full load rejection may occur due to a system ;

fault or inadvertent breaker tripping. This Surveillance '

verifies proper engine-generator load-response under the simulated test conditions. This test will simulate the loss '

of the total connected loads that the diesel generator will !

experience following a full load rejection and verify that I the diesel _ generator will not trip upon lost of the load.

These acceptance criteria provide for diesel generator damage protection. While the diesel generator is not expected to' experience this transient during an event and continue to be available, this response will assure the diesel generator is not degraded for future applications, (continued)

SYSTEM 80+ B 3.8-25 Rev. 00 16A Tech Spec Bases

l AC Sources - Operating B 3.8.1 O

BASES SURVEILLANCE SR 3.8.1.10 (continued)

REQUIREMENTS including reconnection to the bus if the trip initiator can be corrected or isolated. The 24 month Frequency is consistent with the recommendations of Regulatory Guide 1.108 (Ref.11) (expected fuel cycle lengths).

In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, testing must be performed using a power factor s [0.9]. This power factor is chosen to be representative of the actual design basis inductive loading that the DG would experience.

This SR is modified by two Notes. The reason for Note 1 is that during operation with the reactor critical, performance of this SR could cause perturbation to the electrical distribution systems that could challenge continued steady state operation and, as a result, unit safety systems.

Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.11 As required by Regulatory Guide 1.108 (Ref.11), this Surveillance demonstrates the as-designed operation of the standby power sources during loss of the preferred offsite power source. This test verifies all actions enccantered from the loss of offsite power includir.g shedding of the non-essential loads and energization of the emergency buses and respective loads from the diesel generator. It further demonstrates the capability of the diesel generator to automatically achieve the required voltage and frequency within the specified time.

The diesel generator automatic start time of 20 seconds is derived from requirements of the accident analysis to respond to a design basis large break LOCA. The minimum steady state output voltage of [3744] volts is 90% of the nominal [4160 volt) output voltage. This value, which is specified in ANSI C84.1-1982, allows for voltage drop down to the terminals of 4000 volt rated motors whose minimum

, operating voltage is specified as 90% or 3600 volts. It also allows for voltage drops to motors and other equipment (continued)

SYSTEM 80+ B 3.8-26 Rev. 00 16A Tech Spec Bases

AC Souro s - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 (continued)

REQUIREMENTS down through the 120 volt level where minimum operating voltage is also usually specifiod as 90% of nameplate rating.

The specified maximum steady state output voltage of [4576]

volts is equal.to the maximum operating voltage specified for 4000 volt rated motors (+ 10% of motor nameplate rating of 4000 volts). It ensures that for a lightly loaded distribution system the voltage at.the terminals of 4000 ;

volt motors will be no more than the maximum rated operating voltages.

The specified minimum and maximum steady state output frequency of the diesel generator is [58.8] Hz and [61.2]

Hz, respectively. This is equal to 2% of the 60 Hz nominal frequency and is derived from the recommendations given in Regulatory Guide 1.9 (Ref. 2) that the frequency should be restored to within 2% of nominal following a load sequence step. The Surveillance should be continued for a O minimum of five minutes in order to demonstrate all starting transients have decayed and stability has been achieved.

1 For the purpose of this SR, the diesel generators shall be started from standby conditions. Standby conditions in this l case means the diesel engine coolant and oil are being l continuously circulated and temperature maintained '

consistent with manufa::turer recommendations.

The requirement to verify the connection and power supply of permanent and auto-connected loads is intended to l satisfactorily show the relationship of these loads to the l DG loading logic. In certain circumstances, many of these I loads cannot actually be connected or loaded without undue i hardship or potential for undesired operation. For i instance, the Safety Injection System (SIS) injection valves i are not desired to be stroked open and high pressure injection systems are not capable of being operated at full flow. In lieu of actual demonstration of connection and

. loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable.. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

' (continued)

' SYSTEM 80+ B 3.8-27 Rev. 00 16A Tech Spec. Bases

AC Sources - Operating B 3.8.1 O

BASES SURVEILLANCE SR 3.8.1.11 (continued)

REQUIREMENTS The Frequency is consistent with the recommendations of Regulatory Guide 1.108 (Ref.11), and takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. Also, operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This Surveillance is modified by three Notes. The first Note permits an engine prelube period which is consistent with manufacturer's recommendations prior to diesel generator starting to minimize wear on moving parts which are not lubricated unless the engine is operating. The second Note prohibits performance of this Surveillance in MODES 1, 2, 3 or 4. Performance of this Surveillance requires that offsite power be removed from the [4160 V) emergency buses which will perturb the electrical distribution system and could challenge safety-related equipment. The third Note acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.12 This Surveillance demonstrates that the diesel generator automatically starts and achieves the required voltage and frequency within the specified time (20 seconds) from the design basis activation signal. It further demonstrates that during a LOOP event, the DG load sequencers restart equipment that was de-energized as a result of the LOOP.

The five minute period provides sufficient time to demonstrate stability. The basis for the time, voltage, and frequency tolerances specified in this Surveillance are discussed in the Bases for SR 3.8.1.11.

For the purpose of this test, the diesel generators shall be started from standby conditions. Standby conditions in this case means the diesel engine coolant and oil are being continuously circulated and temperature maintained consistent with manufacturer recommendations.

(continued)

SYSTEM 80+ B 3.8-28 Rev. 00 16A Tech Spec Bases

l

'AC Sources - Operating-

^ B 3.8.1

!=

1 BASES ,

[

SURVEILLANCE: SR 3.8.1.12 (continued) r REQUIREMENTS

'- 'The Frequency of the Surveillance is based on engineering judgment taking into consideration the plant conditions -;

' required to perform the surveillance and is intended to be consistent with expected. fuel cycle lengths. Also, operating experience has shown that these components usually :

, pass the SR when performed at the 24 month Frequency. ,

Therefore, the Frequency was concluded to be acceptable from l l a reliability standpoint.

This Surveillance is modified by three Notes. The first Note permits an engine prelube period prior to diesel generator 4 starting to minimize wear on moving parts which are not lubricaced unless the engine is operating. The second Note .

prohibits performance of this Surveillance in MODE 1 or 2.

Performance of this Surveillance could cause perturbations j to the electrical distribution systems that could challenge continued steady-state operations. The third Note .

acknowledges that credit may be taken for unplanned events I, that satisfy this SR.

l SR 3.8.1.13 !

' This Surveillance demonstrates that diesel generator ?

- non-critical protective functions (e.g. high jacket water temperature) are bypassed as a result of an ESF actuation test signal concurrent'with a loss of voltage test signal on the emergency bus. It also verifies that critical protective functions (engine overspeed, generator

- differential current, generator voltage controlled overcurrent, and low low lube oil pressure) trip the diesel generator to avert substantial damage to the diesel generator unit. The non-critical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition.

This'provides the operator with sufficient time to react appropriately. The diesel generator availability to mitigate the DBA is more critical than protecting the engine against minor problems that are not 'immediately detrimental to emergency operation of the diesel generator.

The 24 month Frequency is based on engineering judgment taking into consideration plant conditions required to perform the Surveillance, and is intended to be consistent (continued)

? SYSTEM 80+ B 3.8-29 Rev. 00 16A Tech Spec Bases

_ _ _ _ . _ _ - -___d

AC Sources - Operating B 3.8.1 O

BASES SURVEILLANCE SR 3.8.1.13 (continued)

REQUIREMENTS with expected fuel cycle lengths. Also, operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This Surveillance is modified by two Notes. Note 1 prohibits performance of this Surveillance in MODE 1 or 2.

Performance of this Surveillance results in diesel generator inoperability and could challenge safety-related equipment.

Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.14 Regulatory Guide 1.108 (Ref.11), requires demonstration once per 24 months that the diesel generators can start and run continuously at full load capability for an interval of not less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , of which [22] hours are at a load equivalent to 110% of the continuous rating of the diesel and two hours at a load equivalent to the two hour rating of the diesel. The diesel starts for this Surveillance can be performed either from cold, standby or hot conditions. The Frequency is consistent with the recommendations of Regulatory Guide 1.108 (Ref.11), and takes into consideration plant conditions required to perform the Surveillance and is intended to be consistent with expected fuel cycle lengths.

The provisions for prelubricating and warmup, discussed in SR 3.8.1.2, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR.

In order to ensure that the DG is tested under load conditions that are as close to design conditions as possible, testing must be performed using a power factor of s (0.9], This power factor is chosen to be representative of the actual design basis inductive loading that the DG would experience. The load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance (continued)

SYSTEM 80+ B 3.8-30 Rev. 00 16A Tech Spec Bases

1 f

AC Sources - Operating B 3.8.1 f3 '

V BASES l SURVEILLANCE SR 3.8.1.14 (continued)

REQUIREMENTS with vendor recommendations in order to maintain DG OPERABILITY. ,

This Surveill:rce is modified by three Notes. Note I states that momentary transients due to changing bus loads do not invalidate this test. Similarly, momentary power factor transients above the power factor limit Il not invalidate ,

the test. The reason for Note 2 is that caring operation !

with the reactor critical, performance of this Surveillance t could cause perturbations to the electrical distribution ,

systems that could challenge continued steady state :

operation and, as a result, unit safety systems. Note 3 [

acknowledges that credit may be taken for unplanned events !

that satisfy this SR. ;

SR 3,8.1.15 A This Surveillance demonstrates that the diesel engine can U restart from a hot condition and achieve the required voltage and freleancy within 20 seconds. The 20 second time i is derived from the requirements of the accident analysis to i respond to a design basis large break LOCA. The bases for j the voltage and frequency tolerances are discussed in the Bases for SR 3.8.1.11.

This Surveillance demonstrates the diesel generator l capability to respond to accident signals while hot, such as l subsequent to shutdown from normal Surveillances. The load !

band is provided to avoid routine overloading of the diesel ;

generator. Routine overloads may result in more frequent l teardown inspections in accordance with vendor recommendations in order to maintain diesel generator OPERABILITY. The 24 month Frequency is consistent with the recommendations of Regulatory Guide 1.108 (Ref.11). l This Surveillance s modified by three Notes. The first Note requires that this Surveillance be performed within five minutes of shutting down the diesel generator after it has operated for = [two) hours at fully loaded conditions and allows momentary transients due to changing bus loads do not invalidate the test. The two-hour time limit is based on the manufacturer's recommendation for achieving hot (continued)

SYSTEM'80+ B 3.8-31 Rev. 00 16A Tech Spec Bases

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.15 (continued)

REQUIREMENTS conditions. The second Note permits an engine prelube period prior to diesel generator starting to minimize wear ;

on moving parts which are not lubricated unless the engine is operating. Note 3 acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.16 A.i required by Regulatory Guide 1.108 (Ref.11), this Surveillance assures that the manual synchronization and load transfer from the diesel generator to the offsite power source can be made and the diesel generator can be returned to ready-to-load status when offsite power is restored. It also ensures that the auto-start logic is ;

reset to allow the diesel generator to reload if a subsequent loss of offsite power occurs. The diesel generator is considered to be in ready-to-load status when the diesel generator is at required speed and voltage, the output breaker is open and can receive an auto-close signal ,

on bus undervoltage, and the load sequence timers are reset.

The Frequency of 24 months is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 11) and takes into consideration plant conditions required to perform the Surveillance. j This SR is modified by two Notes. The reason for Note 1 is that performing the Surveillance would remove a required (

offsite circuit from service, perturb the electrical l distribution system, and chhllenge safety systems. Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.17 Demonstration of the test mode override ensures that the diesel generator availability under accident conditions will not be compromised as the result of testing. Interlocks to the LOCA sensing circuits cause the diesel generator to l automatically reset to ready-to-load operation if a LOCA l' actuation signal is received during operation in the test (continued)

O, SYSTEM 80+ B 3.8-32 Rev. 00 4 16A Tech Spec Bases

)

i AC Sources - Operating ~ '

l B 3.8.1 O BASES ,

(

SURVEILLANCE SR 3 . 8.1.,_LL (continued) e REQUIREMENTS !

mode. Ready-to-load operation is defined as the diesel generator running at required speed and voltage with the diesel generator output breaker open. These provisions for ;

automatic switchover are required by IEEE 308 (Ref. 14).

The requirement to automatically energize the emergency .

loads with offsite power is essentially identical to that of l SR 3.8.1.12. The intent in the requirement associated with .

SR 3.8.1.17.b is to show that the emergency loading was not !

affected by the DG operation in test mode. In lieu of .

actual demonstration of connection and loading of loads, testing that adequately shows the capability of the emergency loads to perform these functions is acceptable. ,

This testing may include any series of sequential, l overlapping, or total steps so that the entire connection ;

and loading sequence is verified.

The 24 month Frequency is consistent with the A recommendations of Regulatory Guide 1.108 (Ref.11), takes :

into consideration unit conditions required to perform the

() Surveillance and is intended to be consistent with expected fuel cycle lengths. l This SR is modified by two Notes. The reason for Note 1 is ,

that performing Surveillance would remove a required offsite l circuit from service, perturb the electrical distribution l system, and challenge safety systems. Note 2 acknowledges l that credit may be taken for unplanned events that satisfy i this SR. !

l f

SR 3.8.1.18 As required by Regulatory Guide 1.108 (Ref.11), each diesel generator is required to demonstrate proper operation for the DBA loading sequence to ensure that voltage and I frequency are maintained within the required limits. Under j accident conditions, prior to connecting the diesel '

generators to their appropriate bus, all loads are shed except load center feeders and those motor control centers ,

which feed Class IE loads (referred to as permanently- J connected loads). Upon reaching 90% required voltage and I frequency, the diesel generators are then connected to their 3

(O (continued) l SYSTEM 80+- B 3.8-33 Rev. 00 16A Tech Spec Bases

AC Sources - Operating 8 3.8.1 O

BASES SURVEILLANCE SR 3.8.1.18 (continued)

REQUIREMENTS respective bus. Loads are then sequentially connected to the bus by the automatic load sequencer. The sequencing logic controls the permissive and starting signals to motor breakers so as to prevent overloading the diesel generators due to high motor starting currents. The 10% load sequence time interval tolerance ensures sufficient time exists for the diesel generator to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated. Reference I provides a summary of the automatic loading of ESF buses.

The Frequency of 24 months is consistent with the recommendations of Regulatory Guide 1.108 (Ref.11), and takes into consideration plant conditions required to perform the Surveillance and is intended to be consistent with expected fuel cycle lengths.

This Surveillance is modified by two Notes. The first Note prohibits performance of this Surveillance in MODE 1, 2. 3, or 4. Performance of this test requires the inoperability of certain ESF equipment and has the potential to perturb the electrica.1 distribution system which would challenge continued steady-state operation. The second Note acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.19 In the event of a design basis accident coincident with a loss of offsite power (LOOP), the diesel generators are required to supply the necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.

This Surveillance demonstrates the diesel generator operation, as discussed in the Bases for SR 3.8.1.11, during a LOOP actuation test signal in conjunction with an ESF actuation signal. Ir lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any (continued)

SYSTEM 80+ B 3.8-34 Rev. 00 16A Tech Spec Bases l

l I

l AC Sources - Operating !

B 3.8.1 LJ BASES SURVEILLANCE SR 3.8.1.19 (continued) idQUIREMENTS series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

1 The Frequency of 24 months is consistent with the recommendations of Regulatory Guide 1.108 (Ref.11), and takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent ,

with expected fuel cycle lengths. 4 i

This Surveillance is modified by three Notes. The first Note permits an engine prelube period prior to diesel generator starting to minimize wear on moving parts which are not lubricated unless the engine is operating. The second Note prohibits performance of this Surveillance in MODE 1, 2, 3 or 4. Performance of this Surveillance requires that offsite power be removed from the emergency buses which will perturb the electrical distribution system i and could challenge continued steady-state operation and ;

('N safety-related equipment. The third Note acknowledges that )

() credit may be taken for unplanned events that satisfy this i SR.

SR 3.8.1.20 ,

4 This Surveillance demonstrates that the diesel generator ;

starting independence has not been compromised. Also, this l Surveillance demonstrates that each engine can achieve i proper speed within the specified time when the diesel generators are started simultaneously. The 10 year Frequency is consistent with the recommendations of Regulatory Guide 1.108 (Ref.11) and Regulatory Guide 1.137 (Ref. 12).

This Surveillance is modified by a Note which allows an engine prelube period prior to diesel generator starting to minimize wear on moving parts which are not lubricated unless the engine is operating. l

?

,r\ ,

l t

l

'd (continued)

SYSTEM 80+ B 3.8-35 Rev. 00 16A Tech Spec Bases

AC Sources - Operating B 3.8.1 O

BASES SURVEILLANCE Diesel Generator Test Schedule REQUIREMENTS (continued) The diesel generator test schedule (Table 3.8.1-1) implements the recommendations of Revision 3 to Regulatory Guide 1.9 (Ref. 2). The purpose of this test schedule is to provide timely test data to establish a confidence level associated with the goal to maintain diesel generator reliability above 0.95 per demand.

According to Regulatory Guide 1.9, Revision 3 (Ref. 2), each DG unit should be tested at least once every 31 days.

Whenever a DG has experienced 4 or more valid failures in the last 2 valid tests, the maximum time between tests is reduced to / days. Four failures in 25 valid tests is a failure rate of 0.16, or the threshold of acceptable DG performance, and hence may be an early indication of the degradation of DG reliability. When considered in the light of a long history of tests, however, 4 failures in the last 25 valid tests may only be a statistically probable distribution of random events. Increasing the test Frequency will allow for a more timely accumulation of additional test data upon which to base judgment of the reliability of the DG. The increased test Frequency must be maintained until seven consecutive, failure free tests have been performed.

The Frequency for accelerated testing is 7 days, but no less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Therefore, the interval between tests should be no less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , and no more than 7 days. A successful test at an interval of less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months should be considered an invalid test and not count towards the seven consecutive failure free starts. A test interval in excess of 7 days constitutes a failure to meet the SRs.

Regulatory Guide 1.108 (Ref.11) defines the diesel ,

generator unit as consisting of the engine, generator, i combustion air system, cooling water system up to the supply, fuel oil supply system, lubricating oil system, starting energy sources, auto start controls, manual controls, and the diesel generator breaker. Inoperabilities of diesel generators caused by failures of equipment that are not part of the defined diesel generator unit are categorized as invalid failures in accordance with Regulatory Guide 1.108 since the failure would not have (continued) f SYSTEM 80+ B 3.8-36 Rev. 00 16A Tech Spec Bases i

AC Sources - Operating B 3.8.1

.(~T L.)

BASES SURVEILLANCE Diesel Generator Test Schedule (continued)

REQUIREMENTS prevented the diesel gerarator from performing its intended safety function. As sucn, they do not impact the Surveillance Frequency of the diesel generator that failed.

REFERENCES 1. 10 CFR50, Appendix A, General Design Criteria 17,

" Electric Power Systems."

2. Regulatory Guide 1.9, " Selection, Design, and Qualification of Diesel Generator Units Used as Onsite Electric Power Systems at Nuclear Power Plants,"

Revision 3.

3. Chapter 8,

4. Chapter 6.

Chapter 15.

(J L

5.

6. ANSI C84.1-1982.

7. ASME Boiler & Pressure Vessel Code Section XI.

8. Regulatory Guide 1.93, " Availability of Electric Power Sources," December 1974.

9. Generic. Letter 84-15, " Proposed Staff Actions to Improve and Maintain Diesel Generator Reliability,"

July 2, 1984.

10. 10 CFR 50, General Design Criteria 18, " Inspection and Testing of Electric Power Systems."

11. Regulatory Guide 1.108, "Periedh. Testing of Diesel Generator Units Used as On-site Electric Power Systems at Nuclear Power Plants," August 1977.

12. Regulatory Guide 1.137, " Fuel Oil Systems for Standby Diesel Generators," October 1979.

/ \

b (continued) !

SYSTEM 80+ B 3.8-37 Rev. 00 16A Tech Spet Bases

AC Sources - Operating B 3.8.1 BASES REFERENCES 13. Chapter 9.

(continued)

14. IEEE 308-1974, "IEEE Standard Criteria for Class IE Power Systems for Nuclear Power Generating Stations."

15. Chapter 19.

O O

SYSTEM 80+ B 3.8-38 Rev. 00 16A Tech Spec Cases

AC Sources - Shutdown I p B 3.8.2 j B 3.8 -ELECTRICAL POWER SYSTEMS B 3.8.2 AC Sources - Shutdown }

l l

BASES ;

BACKGROUND' A description of offsite and onsite AC Power Sources is !

provided in the Bases for LCO 3.8.1, AC Sources - Operating.

]'

APPLICABLE The OPERABILITY of the minimum AC sources during MODES ;

SAFETY ANALYSES -5 and 6 ensures that: j a) The unit can be maintained in the shutdown or refueling condition for extended periods;

b) Sufficient instrumentation and control capabilny is i available for monitoring and maintaining the unit ;

- status; and l c) Adequate AC electrical power is provided to mitigate O

t/

events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident, or a loss ,f decay heat removal. l

. In general, when the unit i s shut down, the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated ,

accidents. However, assuming a single failure and ;

concurrent loss of all offsite or all onsite power is not t required. .The rationale for this is based on the fact that i many Design Basis Accidents (DBAs) that are analyzed in !

. MODES 1, 2, 3, and 4 have no specific analyses in MODES 5 ,

and 6. Worst case bounding events are deemed not credible !

in MODES'S and 6 because the energy contained within the reactor pressure boundary, reactor coolint temperature and ;

pressure, and the corresponding s cesse*; result in the 2

probabilities of occurrence being r,ignificantly reduced or ,

eliminated, and with minimal consequences. These deviations i from DBA analysis assumptions and design requirements during i shutdown conditions are allowed by the LCO for required ,

systems.

h i

O (continued)

SYSTEM 80+~ .

B 3.8-39 Rev. 00 -

. 16A Tech Spec Bases j y ;

AC Sources - Shutdown B 3.8.2 O

BASES APPLICABLE During MODES 1, 2, 3, and 4, various deviations from the SAFETY ANALYSES analysis assumptions and design requirements are allowed (continued) within the Required Actions. This allowance is in recognition that certain testing and maintenance activities must be conducted provided an acceptable level of risk is not exceeded. During MODES 5 and 6, performance of a significant number of required testing and maintenance activities is also required. In MODES 5 and 6, the activities are generally planned and administratively controlled. Relaxations from MODE 1, 2, 3, and 4 LCO requirements are acceptable during shutdown modes based on:

a. The fact that time in an outage is limited. This is a risk prudent goal as well as a utility economic consideration.

b. Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operating MODE analyses, or both.

c. Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems.

d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODE 1, 2, 3, and 4 OPERABILIlY requirements) with systems assumed to function during an event.

In the event of an accident during shutdown, this LC0 ensures the capability to support systems necessary to avoid immediate difficulty, assuming either a loss of all offsite power or a loss of all onsite diesel generator (DG) power.

The AC sources satisfy Criterion 3 of the NRC Policy Statement.

LCO The qualified offsite circuit (s) capable of supplying the onsite Class IE power distribution subsystem (s) of LCO 3.8.10, " Distribution Systems-Shutdown," ensures that all required loads are powered from offsite power. The (continued)

SYSTEM 80+ B 3.8-40 Rev. 00 16A Tech Spec Bases

b AC Sources - Shutdown B 3.8.2 BASES LC0 OPERABLE on-site power source (s), associated with a .

(continued) distribution system division (s) required to be OPERABLE by LC0 3.8.10, ensures a diverse power source is available to provide electrical power support, assuming a loss of the offsite circuit (s). Together, OPERABILITY of the required offsite circuit (s) and on-site power source (s) ensures the availability of sufficient AC sources to operate the unit in -

a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents, reactor vessel draindown, or loss of decay heat removal).

The qualified offsite circuit (s) must be capable of '

maintaining required frequency and voltage, and accepting required loads during an accident, while connected to the .

Engimered Safety Feature (ESF) bus (es). Qualified offsite circuits are those that are described in the CESSAR-DC and ,

are part of the licensing basis for the unit.

During a shutdown condition, it is acceptable for a single i offsite power circuit to supply all required divisions of electrical power.

O- Inoperable AC Sources do not necessarily result in inoperable components (which are designed to receive power from that source) unless specifically directed by Required I

Actions (refer to LCO 3.0.7).

l The DG must be capable of starting, accelerating to required speed and voltage, connecting to its respective ESF bus on detection of bus undervoltage, and accepting required loads.

This sequence must be accomplished within 20 seconds. The l DG must be capable of accepting required loads within the l assumed loading sequence intervals, and must continue to t operate until offsite power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions such as DG in standby with the engine hot, DG in standby at ambient conditions, and DG operating in a parallel test mode.

Proper sequencing of loads, including tripping of nonessential loads, is a required function for DG OPERABILITY.

(

\

(continued)

SYSTEM 80+ B 3.8-41 Rev. 00 16A Tech Spec Bases

AC Sources - Shutdown B 3.8.2 O

BASES LC0 In addition, proper sequencer operation is an integral part (continued) of offsite circuit OPERABILITY if its inoperability in any way impacts on the ability to start and maintain energized any loads required OPERABLE by LC0 3.8.10.

Certain diesel generator support systems are addressed in other LCOs. During inoperabilities in these support systems, inoperable diesel generators do not necessarily result unless specifically directed by Required Actions (refer to LC0 3.0.7).

As described in Appendix 19.8A, " Shutdown Risk Evaluation" (Ref. 1), in the event of an accident during shutdown, the TS are designed to maintain the plant in a condition such that, even with a single failure, the plant will not be in immediate difficulty.

APPLICABILITY The MODE 5 and MODE 6 APPLICABILITY assures AC power sources are OPERABLE to support the equipment required to be OPERABLE for the various conditions of these MODES.

MODE 5 has a subset of plant operating conditions. These include: 1) MODE 5 - Loops Filled, 2) MODE 5 - Loops Not Filled, and 3) MODE 5 - REDUCED RCS INVENTORY. During these different operating conditions the systems required to be OPERABLE are dictated by the conditions. Identifying the required systems and the Distribution Systems to support them is essential in determining the number of qualified circult(s) and the number of on-site source (s) that must be OPERABLE in these different conditions.

MODZ 6 also has a subset of plant operating conditions.

These include: 1) MODE 6 - High Water Level, 2) MODE 6 - Low Water Level, and 3) MODE 6- REDUCED RCS INVENTORY. As discussed in the previous paragraph, identification of the required systems for each condition must be accomplished to ensure compliance with the TS.

The AC power sources that are required to be OPERABLE in MODES 5 and 6 provides assurance that:

(continued)

SYSTEM 80+ B 3.8-42 Rev. 00 16A Tech Spec Bases

l l

1 AC Sources - Shutdown B 3.8.2 ,

O, S BASES !

l I

APPLICABILITY a. Systems to provide adequate coolant inventory makeup j are available for the irradiated fuel assemblies in (continued) the core in case of an inadvertent draindown of the reactor vessel,

b. Systems needed to mitigate a fuel handling accident are available,

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available,

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown or refueling condition, and

e. Systems are available to remove decay heat from the ;

irradiated fuel in the core.

AC power requirements for MODES 1, 2, 3, and 4 are addressed in LCO 3.8.1, "AC Sources - Operating."

(}.

(.

ACTIONS AJ An offsite circuit would be considered inoperable if it were not available to one required ESF division. Although two divisions may be required by LC0 3.8.10, the remaining division with offsite power available may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and/or operations with a potential for draining the reactor vessel.

By the allowance of the option to declare required features inoperable, with no offsite power available, appropriate restrictions will be implemented in accordance with the affected required features LC0's ACTIONS.

A.2.1. A.2.2. A.2.3. A.2.4. A.2.5. B.1. B.2.1. B.2.2. B.2.3.

B.2.4 and B.2.5 With the offsite circuit not available to all required divisions, the option would still exist to declare all required features inoperable. Since this option may involve (continued)

SYSTEM 80+ B 3.8-43 Rev. 00 16A Tech Spec Bases

AC Sources - Shutdown B 3.8.2 O

BASES ACTIONS A.2.1. A.2.2. A.2.3. A.2.4. A.2.5. B.1. B.2.1. B.2.2. B.2.3.

B.2.4 and 8.2.5 (continued) undesired administrative efforts, the allowance for sufficiently conservative actions is made. With the required on-site power source (s) inoperable, the minimum required diversity of AC power sources is not available.

Although two divisions may be required by LCO 3.8.10, the remaining divisions with an on-site power source available may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and/or operations with a potential for draining the reactor vessel. The option to declare required features inoperable, with no on-site source available, will implement appropriate restrictions in accordance with the affected features LC0's ACTIONS. The other option is to require the suspension of CORE ALTERATIONS, movement of irradiated fuel assemblies, any activities that could potentially result in inadvertent draining of the reactor vessel, and operations involving positive reactivity additions which would exceed limits specified in LC0 3.1.1 " SHUTDOWN MARGIN (SDM)" or LC0 3.1.9 "Special Test Exception (STE) - SHUTDOWN MARGIN (SDM)". The Required Action to suspend positive reactivity additions does not preclude actions to maintain or increase reactor vessel inventory provided the required SDM is maintained.

Suspension of these activities does not preclude completion of actions to establish a safe conservative condition.

These actions minimize the probability or the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC sources and to continue this action until restoration is accomplished in order to provide the necessary AC power to the unit safety systems.

Notwithstanding performance of the conservative Required Actions, the unit is still without sufficient AC power sources to operate in a safe manner. Therefore, action must be initiated to restore the minimum required AC power sources and continue until the LC0 requirements are restored.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The (continued)

SYSTEM 80+ B 3.8-44 Rev. 00 16A Tech Spec Bases

AC Sources - Shutdown B 3.8.2

(]

LJ BASES ACTIONS A.2.1. A.2.2. A.2.3. A.2.4. A.2.5. B.I. B.2.1. B.2.2. B.2.3.

B.2.4 and B.2.5 (continued) ,

restoration of the required AC electrit.al power sources should be completed as quickly as possible in order to minimize the time during which the unit safety systems may be without sufficient power.

Pursuant to LC0 3.0.6, the Distribution System's ACTIONS are not entered even if all AC sources to it are inoperable, resulting in de-energization. Therefore, the Required Actions of Condition A are modified by a Note to indicate that when Condition A is entered with no AC power to one ESF bus, the ACTIONS for LC0 3.8.10 must be immediately entered.

This Note allows Condition A to provide requirements for the loss of the offsite circuit, whether or not a division is de-energized. LC0 3.8.10 provides the appropriate restrictions for the situation involving a de-energized division.

O V C.1. C.2. C.3.1. and C.3.2 During shutdown with two required on-site sources required, if one source becomes inoperable Condition C must be i' entered.

To ensure a highly reliable offsite power source remains wf th an inoperable DG, it is necessary to verify the availability of the offsite circuits on a more frequent j basis. Since the Required Action only specifies " perform," I a failure of SR 3.8.1.1 acceptance criteria does not result l in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions must then be entered.

The specific list of features encompassed by Required Action C.2 is provided in Reference 8. These features are those which are designed with redundant safety related divisions.

Single division systems are not included. Since the Completion Time allowance for this Required Action is limited to four hours, those systems with allowed Completion Times a four hours for both divisions inoperable are not included as required features to be checked. Required (a

V

)

(continued)

SYSTEM 80+ B 3.8-45 Rev. 00 16A Tech Spec Bases

AC Sources - Shutdown B 3.8.2 O

BASES ACTIONS C.l. C.2. C.3.1. and C.3.2 (continued)

Action C.2 is intended to provide assurance that a loss of offsite power, during the period that a diesel generator is inoperable, will not result in a complete loss of safety function of critical systems. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal " time zero" for beginning the allowed outage time " clock." In this Required Action, the Completion Time only begins on discovery that both: 1) an inoperable diesel generator exists, and 2) a required feature on the other division is inoperable. This will result in establishing the " time zero" at the time that the LC0 was initially not met, instead of at the time Condition C was entered. If at any time during the existence of this Condition (one diesel generator inoperable) a required feature subsequently becomes inoperable, this Completion Time would begin to be tracked.

Discovering one required DG inoperabi:: coincident with one or more inoperable required support or supported features, or both, that are associated vith the OPERABLE DG, results in starting the Completion Time for the Required Action.

Four hours from the discovery of these events existing concurrently, is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to 1 transients associated with shutdown.

In this Condition, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the '

onsite Class IE Distribution System. Thus, on a component basis, single failure protection for the required feature's .

function may have been lost; however, function has not been l Inst. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time ,

takes into account the capacity and capability of the '

remaining AC sources, a reasonable time for repairs, and the l low probability of a DBA occurring during this period. !

The Note in Condition C requires that Required Action C.3.1 ,

or C.3.2 must be completed if Condition C is entered. The intent is that all DG inoperabilities must be investigated (continued) 9!

SYSTEM 80+ B 3.8-46 Rev. 00 16A Tech Spec Bases l

l

AC Sources - Shutdown rm B 3.8.2

i

(,

BASES ACTIONS C.1. C.2. C 3.1. and C.3.2 (continued) for common cause failures regardless of how long the DG inoperability persists.

Required Action C.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG, SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on other DG(s), the other DG(s) would be declared inoperable upon discovery and Condition D of LC0 3.8.2 would be entered.

Once the failure is repaired, the common cause failure no longer exists and Required Action C.3.1 is satisfied. If tie cause of the initial inoperable DG cannot be confirmed nor to exist on the remaining DG(s), performance of SR .:.8.1.2 suffices to provide assurance of continued

OPERABILITY of that DG.

According to Generic Letter 84-15 (Ref. 9), 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is (3 reasonable to confirm that the OPERABLE DG(s) is not affected by the same problem as the inoperable DG.

() J

)

C 4. C.5. and C.6 Required Actions C.4 and C.5 verify the CTG to be functional l and capable of being aligned to the ESF buses. These j actions ensure the CTG is available as an on-site Alternate AC (AAC) power source. The CTG must be started and achieve required steady voltage and frequency within [2] minutes.

In addition, alignment of the circuit must be verified within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months and once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter. This action ensures the following: (1) the circuit from the CTG to the ESF buses is available, (2) the operator is familiar with the breaker alignment required to supply the ESF buses from the CTG, and (3) any misalignment of the circuit can be identified and corrected.

In Condition C, if the CTG is not available, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class IE Distribution System.

The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable rm '

)

(continued)

SYSTEM 80+ B 3.8-47 Rev. 00 16A Tech Spec Bases

AC Sources - Shutdown B 3.8.2 O

BASES ACTIONS C.4. C.5. and C.6 (continued) time for repairs, and the low probability of a DBA occurring during this period.

In Condition C, if the CTG is available, the 14 day Completion Time of Required Action C.6 takes into account the ability of the CTG to automatically start and to be minut(s. (See the aligned to the Background ESF buses section in [10] ion of the CTG.)

for a discuss D.1. D.2.1. D.2.2. D.2.3. D.2.4. and D.2.5 If the Required Actions and Completion Times of Condition C are not met Condition D must be entered. The Required Actions of Condition D are the same as those of Condition B.

A discussion of this bases can be found in the above l paragraphs for those Required Actions of Condition B. j l

1 SURVEILLANCE SR 3.8.2.1 l

REQUIREMENTS SR 3.8.2.1 requires the SRs from LC0 3.8.1 that are !

necessary for ensuring the OPERABILITY of the AC sources in other than MODES 1, 2, 3, and 4.

This SR is modified by a Note. This Note requires the performance for SR 3.8.1.3 only when the number of AC sources is more than the minimum required by LC0 3.8.2.

This precludes requiring the OPERABLE DG from being paralled with the offsite network. However, this test must be performed every six months. This six month period provides adequate time for scheduling the SR without impacting DG OPERABILITY. j Refer to the corresponding Bases for LC0 3.8.1 for a discussion of each SR. Also, refer to the Note before SR 3.8.11 and the Bases for a discussion of the Frequency requirements.

REFERENCES 1. Appendix 19.8A O

SYSTEM 80+ B 3.8-48 Rev. 00 16A Tech Spec Bases i

Diesel Fuel 011,- Lube Oil, and Starting Air j f.

B 3.8.3 '

C B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air i

BASES j BACKGROUND. Each diesel generator is provided with two one-half capacity -

storage tanks having the combined fuel capacity sufficient ,

to operate that diesel for a period of seven days while the diesel generator is supplying maximum post-accident load ;

demand (Ref.1).- The maximum load demand is calculated using the assumption that two diesel generators are l available. This onsite fuel capacity is sufficient to operate the diesel generator for longer than the time it would take to replenish the onsite supply from outside sources. Fuel oil is transferred from the storage tanks to the day tank by gravity feed. Redundancy of the storage tanks and piping, and the use of gravity feed, precludes the 4 failure of a pump, or the rupture of any pipe, valve, or tank to result in the loss of more than one DG.

For proper operation of the diesel generators, it is p necessary to ensure the proper quality of the fuel oil.

v Regulatory Guide 1.137 (Ref. 2) addresses the recommended ;

fuel oil practices as supplemented by ANSI N195-1976 (Ref. '

3). The fuel oil properties governed by these Surveillance Requirements are the water and sediment content, the kinematic viscosity, specific gravity (or ;PI gravity), and impurity level.

The diesel generator lubrication system is designed to provide sufficient lubrication to permit proper operation of its associated diesel generator under all loading ,

conditions. The system is required to circulate the lube oil to the diesel engine working surfaces and to remove excess heat generated by friction during operation. The system provides oil to the engine surfaces at a specified temperature during the long anticipated periods of standby duty. Each engine oil sump is of adequate size to contain all the oil in the engine lube oil system and has an inventory capable of supporting a minimum running time of 7 days. This provMes sufficient supply to allow the operator to replenish lui- sil from storage facilities onsite. The onsite storage in addition to the engine oil sump is sufficient to ensure seven days continuous operation. ;

l l

O U (continued) l SYSTEM 80+ B 3.8-49 Rev. 00 i 16A Tech Spec. Bases

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 9

BASES BACKGROUND Each DG has an air start system with adequate capacity for (continued) five successive start attempts of the DG without recharging the air start receiver (s).

c APPLICABLE The initial conditions of design basis transient and SAFETY ANALYSES accident analyses in CESSAR-DC Chapters 6, Engineered Safety Features, and 15, Accident Analyses, assume ESF systems are OPERABLE. The diesel generators are designed to provide sufficient capacity, capability, redundancy and reliability to ensure the availability of necessary power to ESF systems so that fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for LC0 Sections 3.2 (Power Distribution Limits),3.4 (Reactor Coolant System), and 3.6 (Containment Systems).

The diesel fuel oil, lubricating oil, and air start subsystems provide the necessary supply to support operation of the diesel generators. They satisfy Criterion 3 of the NRC Policy Statement. g LCO Stored diesel fuel oil is required to have sufficient supply for 7 days of full load operation. It is also required to meet specific standards for quality. Additionally, sufficient lubricating oil supply must be available tc ensure the capability to operate at full load for 7 days.

This requirement, in conjunction with an ability to obtain replacement supplies within 7 days, supports the availability of DGs required to shut down the reactor and to maintain it in a safe condition for an anticipated operational occurrence (A00) or a postulated DBA with loss of offsite power. DG day tank fuel requirements, as well as transfer capability from the storage tank to the day tank, are addressed in LCO 3.8.1, "AC Sources - Operating," and LCO 3.8.2, "AC Sources-Shutdown."

The starting air system is required to have a minimum capacity for five successive DG start attempts without recharging the air start receivers. '

O (continued)

SYSTEM 80+ B 3.8-50 Rev. 00 :

16A Tech Spec Bases l

Diesel _ Fuel Oil, Lube Oil, and Starting Air

% - B 3.8.3 i j y ;

'O BASES (continued)

J APPLICABILITY The AC sources (LC0 3.8.1 and LCO 3.8.2) are required to l ensure the availability of the required power to shut down ,

the reactor and maintain it in a safe shutdown condition l after an A00 or a postulated DBA. Since stored diesel fuel !

oil, lube oil, and starting air subsystems support LC0 3.8.1_ ,

and LCO 3.8.2, stored diesel fuel oil, lube oil and starting air are required to be within limits when the associated DG is required to be OPERABLE.

i l

ACTION 3 M ]

In this Condition, the 7 day fuel oil supply for a DG is not available. However, the Condition is restricted to fuel oil level reductions, that maintain at least a 6 day supply. '

l These circumstances may be caused by events such as full load operation required after an inadvertent start while at minimum required level; or feed and bleed operations, which may be necessitated by increasing particulate levels or any A number of other oil quality degradations. This restriction C) allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of fuel oil to the tank. A period of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is considered sufficient to complete restoration of the required level prior to declaring the DG inoperable.

This period is acceptable based on the remaining capacity

(> 6 days), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.

M j With lube' oil inventory < [500] gallons, sufficient lubricating oil to support 7 days of continuous DG operation at full load conditions may not be available. However, the Condition is restricted to lube oil volume reductions that maintain at least a 6 day supply. This restriction allows i sufficient time to obtain the requisite replacement volume, l A period of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is considered sufficient to complete I restoration of the required volume prior to declaring the DG j inoperable. This period is acceptable based on the remaining capacity (> 6 days), the low rate of usage, the On V (continued) j SYSTEM 80+ B 3.8-51 Rev. 00 )

16A Tech Spec Bases

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.J,3 9

BASES ACTIONS M (continued) fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.

L.1 This Condition is entered as a result of a failure to meet the acceptance criterion of SR 3.8.3.3. Normally, trending of particulate levels allows sufficient time to correct high particulate levels prior to reaching the limit of acceptability. Poor sample procedures (bottom sampling),

contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend.

Since the presence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, and particulate concentrction is unlikely to change 1 significantly between Surveillance Frequency intervals, and l proper engine performance has been recently demonstrated l (within 31 days), it is prudent to allow a brief period '

prior to declaring the associated DG inoperable. The 7 day Completion Time allows for further evaluation, resampling, l and re-analysis of the DG fuel oil. l l

M With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when l mixed with previously stored fuel oil, remains acceptable, or restore the stored fuel oil properties. This restoration i may involve feed and bleed procedures, filtering, or i combinations of these procedures. Even if a DG start and ;

load was required during this time interval and the fuel oil properties were outside limits, there is a high likelihood that the DG would still be capable of performing its t intended function.

(continued)

SYSTEM 80+ B 3.8-52 Rev. 00 16A Tech Spec Bases 4

Diesel Fuel Oil, Lube Oil, and Starting Air -

B 3.8.3 v .

BASES >

5 ACTIONS Ed

(continued) .

With starting air receiver pressure < [225] psig, sufficient capacity for five successive DG start attempts does not i exist. However, as long as the-receiver pressure is

> [125] psig, there is adequate capacity for at least one start attempt, and the DG can be considered OPERABLE while the air receiver pressure is restored to the required limit. !

A period of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is considered sufficient to complete ,

restoration to the required pressure prior to declaring the DG inoper&le. This period is acceptable based on the remaining air start capacity, the fact that most DG starts I are ar.complished on the first attempt, and the low :

probat ility of an event during this brief period. ;

f_d .

With a Required Action and associated Completion Time not met, or one or more DGs with diesel fuel oil, lube oil, or :

starting air not within limits for reasons other than addressed by Conditions A through E, the associated DG may be incapable of performing its intended function and must be immediately declared inoperable.

SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This SR provides verification that there is an adequate inventory of fuel oil in the storage tanks to support each i DG's operation for 7 days at full load. The 7 day period is sufficient time to place the unit in a safe shutdown condition and to bring in replenishment fuel from an offsite location. The 31 day Frequency is adequate to ensure that a sufficient supply of fuel oil is available, since low-level alarms are provided and operators are aware of large uses of fuel oil during this period.

SR 3.8.3.2 This Surveillance ensures that sufficient lubricating oil inventory is available to support at least 7 days of full !

load operation for the diesel generator. The [500] gallons O 1 V (continued)

SYSTEM 80+ B 3.8-53 Rev. 00 16A Tech Spec Bases

r-Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 O

BASES SURVEILLANCE SR 3.8.3.2 (continued)

REQUIREMENTS requirement is based on the diesel generator manufacturer's consumption values for the runtime of the diesel. Implicit in this SR is the requirement to verify the capability to transfer the lube oil from its storage location to the DG, when the DG lube oil sump does not hold adequate inventory for 7 days of full load operation without the level reaching the manufacturer recommended minimum level. A 31 day Frequency is adequate to ensure a sufficient lubricating oil supply is onsite since diesel generator starts and run times are closely monitored by the plant staff.

SR 3.8.3.3 The tests listed below are a means of determining whether fuel is of appropriate grade and has not been contaminated with substances which would have an immediate, detrimental impact on diesel engine combustion / operation. If results from these tests are within acceptable limits, the fuel may !

be added to the storage tanks without concern for contaminating the entire volume of fuel in the storage I tanks. These tests are to be conducted prior to adding the i new fuel to the storage tank (s), but in no case is the time between receipt of new fuel and conducting the tests to exceed 31 days. The Frequency is established by Regulatory Guide 1.137 (Ref. 2). The tests, limits, and applicable ASTM standards are as follows:

a. Sample new fuel in accordance with ASTM D4057-88.

l

b. Verify in accordance with tests specified in ASTM D975-82 that the sampl~ has an absolute specific l gravity at 60/60*F of 2 0.83 but 5 0.89* or an API l gravity at 60"F of a 27 and 5 39*, a kinematic l viscosity at 40 C of a 1.9 centistokes and s 4.1 l centistokes, and a flash point 2 125 F.

c. Verify the new fuel oil has a clear and bright appearance with proper color when tested in accordance with ASTM D4176-86.

(continued)

SYSTEM 80+ B 3.8-54 Rev. 00 16A Tech Spec Bases

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 O

BASES i

SURVEILLANCE SR 3.8.3.3 (continued) ,

REQUIREMENTS Failure to meet any of the above limits is cause to reject the new fuel, but does not constitute a diesel generator '

OPERABILITY concern since the fuel is not added to the storage tanks.

Within 31 days following the initial new fuel oil sample, this Surveillance is performed to establish that the other properties specified in Table 1 of ASTM D-975-82 are met for new fuel oil when tested in accordance with ASTM D975-82, except that the analysis for sulfur may be performed in accordance with ASTM D1552-88 or ASTM D2622-82. The 31 day '

period is acceptable because the fuel oil properties of interest, even if they were not within stated limits, would not have an immediate effect on DG operation. This Swveillance ensures the availability of high quality fuel ;

oil for the DGs. ;

Fuel oil degradation during long term storage shows up as an

,A increase in particulate, due mostly to oxidation. The

( 3resence of partic11 ate does not mean the fuel oil will not '

aurn properly in a diesel engine. The particulate can cause ,

fouling of filters and fuel oil injection equipment, ;

however, which can cause engine failure. .

Particulate concentrations should be determined in accordance with ASTM D2276-88. This method involves a gravimetric determination of total particulate concentration in the fuel oil and has a limit of 10 mg/1. It is acceptable to obtain a field sample for subsequent ,

laboratory testing in lieu of field testing. Each of the ,

DGs' storage tanks is tested separately. ;

The Frequency of this test takes into consideration fuel oil degradation trends that indicate that particulate concentration is unlikely to change significantly between l Frequency intervals, i SR 3.8.3.4 l This Surveillance ensures that, without the aid of the refill compressor, sufficient air start capacity for each DG is available. The system design requirements provide for a 3

(V (continued) l SYSTEM 80+ B 3.8-55 Rev. 00 16A Tech Spec Bases y

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 O

BASES SURVEILLANCE SR 3.8.3.4 (continued)

REUIREMENTS minimum of [five] engine start cycles without recharging.

[A start cycle is defined by the DG vendor, but usually is measured in terms of time (seconds er cranking) or engine cranking speed.] The pressure specified in this SR is intended to reflect the lowest value at which the (five]

starts can be accomplished.

The 31 day Frequency takes into account the capacity, capability, redundancy, and diversity of the AC sources and other indications available in the control room, including alarms, to alert the operator to below normal air start pressure.

SR 3.8.3.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria which can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from fuel storage tanks once per 31 days eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during diesel generator operation. l Water may come from any of several sources including condensation, ground water, rain water, contaminated fuel oil, and from breakdown of the fuel oil by bacteria.

Frequent checking for and removal of accumulated water minimizes fouling as well as providing data regarding fuel oil system water tight integrity. The Surveillance ,

Frequencies are established by Regulatory Guide 1.137 (Ref.

2). This SR is for preventive maintenance. The presence of water does not necessarily represent failure of this SR, provided the accumulated water is removed during performance of the Surveillance.

(continued)

SYSTEM 80+ B 3.8-56 Rev. 00 16A Tech Spec Bases

[

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES' SURVEILLANCE SR 3.8.3.6 !

REQUIREMENTS .

(continued) The draining of the fuel oil in the storage tanks, removal of accumulated sediment, and tank cleaning is required at ten-year intervals by Regulatory Guide 1.137 (Ref. 2). This also requires the performance of the ASME Code Section XI-examinations of the tanks. To preclude the introduction of surfactants in the fuel oil system, the cleaning should be ,

accomplished using sodium hypochlorite solutions or their equivalent rather than soap or detergents. This SR is for preventive maintenance. The presence of sediment does not necessarily represent a failure of this SR, provided that accumulated sediment is removed during performance of the Surveillance.

1 l

REFERENCES 1. Chapter 9. !

2. Regulatory Guide 1.137, " Fuel Oil f.fstems for Standby Diesel Generators," October 1979. ,

3. ANSI N195-1976, " Fuel Oil Systems for Standby Diesel Generators," Appendix B.

4. ASTM Standards: D4057; D975; D4176; D1552; D2622; '

D2276, Method A.

SYSTEM 80+ B 3.8-57 Rev. 00 16A Tech Spec Bases

DC Sources - Operating B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.4 DC Sources - Operating BASES BACKGROUND The Class 1E DC Power System provides control power for the AC emergency power system (4160 kV); It also provides both motive and control power to selected safety-related equipment and provides circuit breaker control power for the 4160 kV and lower AC distribution system. The DC Power System is also the source of power for the vital instrumentation buses via inverters. The six DC subsystems are designed to have sufficient independence, redundancy and testability to perform its safety functions assuming a single failure. The DC Power System also conforms to the requirements of 10 CFR 50, Appendix A, GDC-17 (Ref. 3),

Regulatory Guide 1.6 (Ref. 1), and IEEE 308 (Ref. 2). The six batteries are:

Division I Division 11 Division I Battery Division II Battery Channel A Battery Channel B Battery Channel C Battery Channel D Battery During normal operations, the DC load is carried by the battery chargers with the battery floating on the system.

In case of loss of normal power to the battery charger, the DC load is automatically powered from the station batteries.

Each DC subsystem is energized by a dedicated 125 volt battery and associated 125 volt battery charger. Each battery is exclusively associated with a single 125 volt DC bus and each battery charger is supplied by its associated i I

AC load group.

Each of the six DC subsystems is made up of the following:

)

a. A [120-cell lead-calcium battery] rated at (1650) Ah '

for eight hours to [108] volts at 77 F;

b. A static battery charger rated at [400] amps with 0,5%

voltage regulation with an AC supply variation of 10%

in voltage and 5% in frequency; and (continued) i SYSTEM 80+ B 3.8-58 Rev. 00 l 16A Tech Spec Bases

~ . _ . - .. -. ._ . - - . -

i DC Sources - Operating <

B 3.8.4 .l 1.1 i j BASES ,

2 i BACKGROUND. c. associated switchboards and distribution panels. i (continued)

However.. in order to fulfill the battery capacity criteria:. {

"to supply one division battery's loads and one channel of

loads,"-the batteries may be cross-tied to allow coping j

strategies to be implemented 'in accordance - with the !

capacity sizing. Additionally, the batteries provide a .j Station Blackout (SBO) coping capability which, assuming. !

manual load sheddhg or the use of load management programs, 2-exceeds two hours, and as a minimum, permits operating the instrumentation and control loads associated with the turbine-driven emergency feed water pumps for 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months .

i Battery operating voltage is 125 volts and each battery has ,

~

adequate storage to supply the division battery and one ;

channel of. loads for two hours without recharging (Ref. 4). !

, Capacity is adequate for all loss of coolant accident (LOCA) l t conditions or any other emergency shutdown. 1 The DC power distribution system is described in more detail

in the Bases for LC0 3.8.9, " Distribution System -

Operating," and for LC0 3.8.10. "Distrib lion Systems -

Shutdown."

1 Each 125 volt DC Class IE battery is separately housed in a ventilated room apart from its charger and distribution center. Each subsystem is located in an area separated t physically and electrically from other subsystems to ensure that a single failure in one subsystem does not cause failure in the redundant subsystem. In normal alignment,

! there is no sharing between redundant Class IE subsystems

such as batteries, battery chargers, or distribution panels.

Class IE batteries of the same division may be cross-tied together for accident coping (SBO) and/or LC0 purposes.

All batteries are sized to produce required capacity at 80%

of nameplate rating, corresponding to warranted capacity at

end-of-life-cycles and the 100% design demand. Battery size i is based on 125% of required capacity, and after selection i of an available consercial battery, results in a battery capacity in excess of 150% of required capacity. The voltage design limit is [*] volts per cell which corresponds to a total minimum voltage output of [*] volts per battery bank.

Values 'to be determined by system detail design. ,

O (continued) j 4

SYSTEM 80+ B 3.8-59 Rev. 00 16A Tech. Spec Bases

)

DC Sources - Operating B 3.8.4 BASES BACKGROUND Each battery charger has ample power-output capacity for the )

(continued) steady-state operation of connected loads required during normal operation while at the same time maintaining its i cattery bank fully charged. Each battery charger has sufficient capacity to restore the battery bank from the design minimum charge to 95% of its fully charged state in

[12] hours while supplying normal steady-state loads (Ref.

4).

APPLICABLE The initial conditions of design basis transient and SAFETY ANALYSES accident analyses in Chapters 6, Engineering Safety Features, and 15, Accident Analyses, assume Engineered Safety Features (ESF) systems are OPERABLE. The DC power subsystem provides normal and emergency DC power for the diesel generators, emergency auxiliaries, and for control and switching during all MODES of operation. The OPERABILITY of the DC power sources is consistent with the initial assumptions of the accident analyses which are based upon maintaining the required DC power sources and associated distribution systems OPERABLE during accident conditions in the event of (1) an asse"N loss of offsite AC power or all onsite AC power; and (2) worst case single failure.

The DC power sources satisfy Criterion 3 of the NRC Policy Statement.

LC0 The Division 1 and 2 DC electrical power subsystems and corresponding control equipment and cabling are required to be OPERABLE to ensure availability of the required power to shutdown the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated design basis accident. Loss of any one of the DC power subsystems does not prevent the minimum safety function from being performed. Each DC electrical power subsystem is considered OPERABLE if the 125 volt battery and associated battery charger satisfy the applicable Surveillance Requirements.

(continued)

SYSTEM 80+ B 3.8-60 Rev. 00 16A Tech Spec Pases

4 DC Sources - Operating B 3.8.4 n

BASES LCO An OPERABLE DC electrical power subsystem requires all (continued) required batteries and respective chargers to be operating and connected to the associate' DC buses.

Inoperable DC sources do not necessarily result in inoperable components unless specifically directed by Required Actions (refer to LC0 3.0.7). The electrolyte parameter limits relationship to the OPERABILITY of DC sources is covered by LC0 3.8.6, " Battery Cell Pacameters".

During periods when battery cell parameters we act within

, limits, DC sources are not necessarily inoperaole unless ,

specifically directed by the Required Actions of LC0 3.8.6.

APPLICABILITY The DC electrical power subsystems are required to be !

OPERABLE in MODES 1, 2, 3, and 4 to ensure safe plant operation and to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result C of anticipated operational occurrences or abnormal transients; and

b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in ,

the event of a postulated DBA. !

DC power requirements for MODES 5 and 6 are addressed in the Bases for LC0 3.8.5, "DC Sources - Shutdown." ;

ACTIONS A.1 and A.2 With one of the six DC electrical power subsystems inoperable, the cross-tie may be utilized to allow the ;

remaining two operable subsystems within the division to l power the loads of the inoperable power source and fulfill '

the SB0 coping capability. This is possible since each battery is sized to provide the one division battery loads and one channel of loads. Thus, the two remaining operable batteries may power the inoperable battery's loads while it

(

(continued) i 1

SYSTEM 80+ - B 3.8-61 Rev. 00 !

16A Tech Spec Bases ,

1

DC Sources - Operating B 3.8.4 O

BASES ACTIONS A.1 and A.2 (continued) is being restored to OPERABILITY. This design feature should be utilized with the intent of restoring the inoperable components in 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

B.1 and B.2 With two of the required DC electrical power subsystems inoperable, the remaining DC electrical power subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. However, since a subsequent worst case single failure would result in the loss of the 125 volt Class IE battery system, continued power operation should not exceed two hocrs. The two hour Completion Time is based on Regulatory Guide 1.93 (Ref. 5), and engineering judgment considering the number of available systems and the time required to reasonably complete the Required Actions.

C.1 and C.2 The plant must be placed in a MODE in which the LCO does not apply if the DC electrical power subsystem cannot be restored to OPERABLE status in the associated Completion Time. This is done by placing the plant in at least MODE 3 in si t hours and in MODE 5 in 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Complation Times are reasonable based on operating exper ence to reach the required MODES from full power withoat challenging plant systems. l l

SURVEILLANCE SR 3.8.4.1 REQUIREMENTS Verifying battery terminal voltage while on float charge for the 125/250 volt Class IE battery helps ensure the effectiveness of the charging system and the ability of the battery to perform its intended function. Float charge is the condition where the charger is supplying the continuous charge required to overcome the internal losses of a battery (or battery cell) and maintain the battery (or battery cell) in a fully charged state. The voltage requirements are !

based on the nominal design voltage of the battery and are !

(continued) Ol!

SYSTEM 80+ B 3.8-62 Rev. 00 16a Tech Spec Bases l

DC Sources - Operating B 3.8.4 fq

~

b, ,

-BASES SURVEILLANCE SR 3.8.4.1 (continued)

REQUIREMENTS consistent with the initial voltages assumed in the battery sizing calculations. The 7 day Frequency is consistent with the manufacturers' recommendations and IEEE-450 (Ref. 6)._ ,

SR 3.8.4.2 Visual inspection to detect corrosion of the battery cells and connections or measurement of the resistance of each .

' cell and terminal connection provide an indication of l physical damage or abnormal deterioration which could potentially degrade battery performance. The connection resistance value is a ceiling value established by the battery manufacturer based on calculations taking into i consideration the physical configuration of the batteries.

The 92 day Frequency is sufficient for detecting trends in these conditions indicative of any problems. A more '

complete inspection is performed in conjunction with the preventive maintenance program conducted during refueling x, outages.

SR 3.8.4.3 Visual inspection of the battery cells, cell plates, and battery racks provide an indication of physical damage or abnormal deterioration which could potentially degrade !

l battery performance. The 12 w th Frequency is consistent with IEEE 450 (Ref. 6),

i SR 3.8.4.4 and 3.8.4.5 Visual inspections and resistance measurements of the cell-to-cell and terminal connections provide an indication of physical damage or abnormal deterioration which could indicate degraded battery performance. The anti-corrosion !

material is used to help ensure good electrical connections and to reduce terminal deterioration. The visual inspection '

for corrosion is not intended to require removal and i inspection under each terminal connection. The connection resistance value is a ceiling value established by the manufacturer based on calculations taking into consideration (continued)

SYSTEM 80+ B 3.8-63 Rev. 00 16A Tech Spec Bases

DC Sources - Operating B 3.8.4 O

BASES SURVEILLANCE SR 3.8.4.4 and 3.8.4.5 (continued)

REQUIREMENTS the physical configuration of the batteries. The 12 month Frequency is consistent with IEEE 450 (Ref. 6).

SR 3. 8. 4. ti Regulatory Guide 1.32 (Ref. 7), requires that the battery charger supply be based on the largest combined demands of the various steady state loads and the charging capacity to restore the battery from the design minimum charge state to the fully charged state, irrespective of the status of the unit during which these demands occur. The minimum required amperes and duration ensures that the DC load requirements can be satisfied (refer to SR 3.8.4.7). The Frequency is based on engineering judgment and industry accepted practice considering the unit conditions required to perform the test, and is intended to be consistent with expected fuel cycle lengths.

This Surveillance is modified by two Notes. The first Note prohibits performance of this Surveillance in MODES 1, 2, 3, or 4. Performance of this test requires the associated DC division to be inoperable during the test. Therefore, this test must be performed in MODES 5 or 6. The second Note allows credit to be taken for unplanned ever.:.s that satisfy this Surveillance Requirement.

SR 3.8.4.7 Regulatory Guide 1.32 (Ref. 7), requires the performance of a battery service test in accordance with IEEE 450 (Ref. 6) at intervals not to exceed (18] months. A battery service test is a special capacity test to demonstrate the capability of the battery to meet the system analyzed response requirements. Reference 4 provides the load requirements for the batteries. ;

This Surveillance is modified by three Notes. The first Note allows a modified performance discharge test in lieu of a service test once per 60 months.

i I

(continued) l SYSTEM 80+ B 3.8-64 Rev. 00 :

16A Tech Spec Bases

DC Sources - Operating B 3.8.4 1

-9 1 i

BASES f 1

SURVEILLANCE SR 3.8.4.7 (continued) l REQUIREMENTS The modified. performance discharge test is a simulated duty j cycle consisting of just two rates; the one minute rate :

published for the battery or the largest current load of the :

duty cycle, followed by the test rate employed for the i

performance test, both of which envelope the duty cycle of the service test. Since the ampere-hours removed by a rated one minute discharge represents a very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the performance discharge test. The battery termir,a1 voltage for the modified performance discharge test should remain above the minimum battery terminal voltage specified in the battery service test for the duration of time equal to that of the service test.

A modified discharge test is a test of the battery capacity and its ability to provide a high rate, short duration load (usually the highest rate of the duty cycle). This will

~T often confirm the battery's ability to meet the critical (V period of the load duty cycle, in addition to determining its percentage of rated capacity. Initial conditions for the modified performance discharge test should be identical to those specified for a service test.

The second Note prohibits performance of this Surveillance in MODES 1, 2, 3, or 4. Performance of this test requires the associated DC division to be inoperable during the test.

Therefore, this test must be performed in MODES 5 or 6. The third Note allows credit to be taken for unplznned events !

that satisfy this Surveillance Requirement. l l

SR 3.8.4.8 IEEE 450 (Ref. 6) recommends a performance discharge test for each battery at 60 month intervals. A battery .

performance test is a capacity test of the battery in the "as found" condition, after being in service, to detect any change in the capacity as determined by the new battery 4 acceptance test. The test is intended to determine overall battery degradation due to age and usage. ;

(continued)

SYSTEM 80+ B 3.8-65 Rev. 00 16A Tech Spec Bases

1 l

DC Sources - Operating l B 3.8.4 '

O BASES SURVEILLANCE SR 3.8.4.8 (continued)

REQUIREMENTS A battery modified performance discharge test is described in the bases for SR 3.8.4.7. Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.4.8; however, only the modified performance discharge test may be used to satisfy SR 3.8.4.8 while satisfying the requirements of SR 3.8.4.7 at the same time.

IEEE 485 (Ref. 8) recommends that the battery should be replaced if its capacity is below 80% of the manufacturer's rating. A capacity of 80% shows the battery rate of deterioration.is increasing even if there is ample capacity to meet the load requirements. The acceptance criteria for this Surveillance specifies an 80% capacity based on the extension of the Frequency for SR 3.8.4.7 from the IEEE 450 recommendation of [12] months to [18] months.

IEEE 450 (Ref. 6) recommends a 60 month Surveillance Frequency or a performance discharge test should be performed every 12 months for any battery that shows signs of degradation or has reached 85% of the service life expected of the application. Degradation is indicated when the battery capacity drops more than 10% of rated capacity from its average on previous performance tests, or is below 90% of the manufacturer's rating.

The Frequencies are consistent with the recommendation in IEEE 450 (Ref. 6).

This Surveillance is modified by two Notes. The first Note prohibits performance of this Surveillance in MODES 1, 2, 3, or 4. Performance of this test requires the associated DC division to be inoperable during the test. Therefore, this test must be performed in MODES 5 or 6. The second Note allows credit to be taken for unplanned events that satisfy this Surveillance Requirement.

REFERENCES 1. Regulatory Guide 1.6, " Independence Between Redundant Standby (Onsite) Power Sources and Between Their Distribution Systems," March 10, 1971.

(continued)

SYSTEM 80+ B 3.3-66 Rev. 00 16A Tech Spec Bases

)

.l.

- DC Sources - Operating l

- B 3.8.4 j

- BASES;

']

l l

REFERENCES:

2. IEEE 308-1974, "IEEE Standard Criteria for. Class IE (continued). -Power Systems for Nuclear Power Generating Stations."

3. 10 CFR 50 Appendix A, General Design Criteria 17,

" Electric Power Systems."

l

4. Chapter 8. l i

5. Regulatory Guide 1.93, " Availability of Electric Power ;

Sources," December 1974.

i 6. IEEE 4bu-1980,'"IEEE Recommended Practice for Maintenance Testing and Replacement of Large Lead l

- Storage Batteries for Generating Stations and l Subsystems."

. 7. Regulatory Guide 1.32, " Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants,"

February 1977.

8. IEEE 485-1983, " Recommended Practices for Sizing Large Lead Storage Batteries for Generating Stations and Substations." June, 1983.11

{

9. Chapter 6.

i

10. Chapter 15.

E I I I 1

4

(

d l l O

v

-SYSTEM 80+- B 3.8-67 Rev. 00 l l

16A' Tech Spec Bases

DC Sources - Shutdown B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.5 DC Sources - Shutdown BASES BACKGROUND A description of the DC Power Sources is provided in the Bases for LC0 3.8.4, "DC Sources - Operating."

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in Chapter 6 and Chapter 15 assume that Engineered Safety Feature (ESF) systems are OPERABLE.- The DC electrical power system provides normal and emergency DC electrical power for the DGs, emergency auxiliaries, and control and switching during all MODES of operation.

The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum specified DC Power Scurces !

during MODES 5 and 6 ensures that: 1) The plant can be maintained in the shutdown or refueling condition for ;

extended time periods; 2) Sufficient instrumentation and i control capability is available for monitoring and i maintaining the unit status; and 3) Adequate DC electrical l power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.

The DC sources satisfy Criterion 3 of the NRC Policy Statement. .

LCO In MODES 5 and 6, the DC electrical power subsystems l i

supporting the DC power distribution subsystem (s) of LCO 3.8.10 " Distribution Systems - Shutdown," are required to be OPERABLE. This ensures the availability cf sufficient power to recover from postulated events in MODES 5 and 6. l l

i (continued) G '

SYSTEM 80+ B 3.8-68 Rev. 00 16A Tech Spec Bases

DC Sources - Shutdown B 3.8.5 BASES LC0 (continued) A. description of OPERABILITY requirements for the DC Power Source Division is provided in the Bases of LC0 3.8.4, "DC Sources - Operating".

The electrolyte parameter limits relationship to the OPERABILITY of DC sources is dictated by LCO 3.8.6, " Battery Cell Parameters."

APPLICABILITY The DC Power Sources required to be OPERABLE in MODES 5 and 6 provide assurance that

a. Required features to provide adequate coolant !

inventory makeup are available for the irradiated fuel assemblies in the core in case of an inadvertent draindown of the reactor vessel;

b. Required features needed to mitigate a fuel handling A accident are available; 4

D c. Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown or refueling condition.

DC cower requirements for MODES 1, 2, 3, and 4 are addressed it.Ir0 3.8.4, "DC Sources - Operating".

ACTIONS A.1. A.2.1. A.2.2. A.2.3. A.2.4. and A.2.5 If two divisions are required per LCO 3.8.10, the remaining division with DC power available may be capable of supporting sufficient systems to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel. By allowing the option to

. declare required features inoperable with the associated DC power source (s) inoperable, appropriate restrictions will be (continued)

Rev. 00 SYSTEM 80+ B 3.8-69 16A Tech Spec Bases

l l

DC Sources - Shutdown '

B 3.8.5 O

BASES ACTIONS A.1. A.2.1. A.2.2. A.2.3. A.2.4. and A.2.5 (continued) implemented in accordance with the affected required features LC0 ACTIONS. In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies, any activities that could result in inadvertent draining of the reactor vessel, and operations involving positive reactivity additions). The Required Action to suspend positive reactivity additions does not preclude actions to maintain or increase reactor vessel inventory, provided the required SDM is maintained.

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition.

These actions minimize probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the requir$d DC electrical power subsystems and to continue this action until restoration is accomplished in order to provide the necessary DC electrical power to the unit safety systems.

Notwithstanding performance of the above conservative Required Actions, the unit is still without sufficient DC power sources to operate in a safe manner. Therefore, action must be initiated to restore the minimum required DC power sources and continued until the LC0 requirements are restored.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required DC electrical power subsystems should be completed as quickly as possible in order to minimize the time during which the unit safety systems may be without sufficient power.

SURVEILLANCE SR 3.8.5.1 ;

REQUIREMENTS SR 3.8.5.1 states that Surveillances required by SR 3.8.4.1 through SR 3.8.4.8 are applicable in these MODES. See the corresponding Bases for LC0 3.8.4 for a discussion of each SR.

= . _ _

(continued)

SYSTEM 80+ B 3.8-70 Rev. 00 16A Tech Spec Bases l

l

__ .-.. ._. -_ _ _..._. ._ _ ..~._ ...____ .. _ _ _ ... _.. . ..._ - _.. ......-. ___ _ .

i I DC Sources - Shutdown l

B 3.8.5 L.O I ~ BASES (continued) l REFERENCES 1. Chapter 6.

2. Chapter 15.

4 i

l 9

1 i

iO O

SYSTEM 80+ B 3.8-71 Rev. 00 16A Tech Spec Bases

i i

l Battery Cell Parameters i B 3.8.6 8 3.8 ELECTRICAL POWER SYSTEMS l B 3.8.6 Battery Cell Parameters i BASES BACKGROUND LC0 3.8.6, " Battery Cell Parameters", utilizes Table 3.8.6-1 to delineate the limits on electrolyte level, float voltage, and specific gravity for the DC Power Source batteries. A ,

1 discussion of these batteries and their OPERABILITY requirements are provided in the Bases for LC0 3.8.4, "DC :

Sources - Operating", and LC0 3.8.5, "DC Sources -

Shutdown". Within this table, Category A defines the limits for each designated pilot cell and Category B does the same for each connected cell.

The Category A limits for the designated pilot cell's float voltage a [2.13] volts and a specific gravity of a [1.200]

(0.015 below the manufacturer's fully charged nominal specific gravity) or a battery charging current that had stabilized at a low value) is characteristic of a charged cell with adequate capacity. The limits on electrolyte level ensures no physical damage to the plates occurs and adequate electron transfer capability is maintained in the event of transient conditions.

The Category B limits for each connected cell's float j voltage and specific gravity = [2.13] volts and a specific gravity of a [1.195] (0.020 below the manufacturer's fully charged nominal specific gravity with an average specific gravity of all the connected cells a [1.205] (0.010 below ,

the manufacturer's fully charged nominal specific gravity) ensures the OPERABILITY and capability of the battery. The limits on electrolyte level ensure no physical damage to the plates occurs and adequate electron transfer capability is maintained in the event of transient conditions.

The limits are based upon manufacturer's recommended values to ensure the OPERABILITY and capability of the battery.

The specific gravity limits assure a manufacturer's recommended fully charged nominal specific gravity of 1.215.

Specific gravity must be corrected for electrolyte l temperature and level, and the float voltage limits may be ;

corrected for average electrolyte temperature. These Notes l

I (continued) O '

SYSTEM 80+ B 3.8-72 Rev. 00 16A Tech Spec Bases

Battery Cell Parameters B 3.8.6 V

BASES BACKGROUND provide for correction of the measured values in accordance (continuei) with manufacturer's recommendations when the values reflect transient conditions as opposed to battery capacity.

Category C defines allowable values of electrolyte level, float voltage, and specific gravity of each connected cell. :

These values represent degraded battery conditions.

However, operation is permitted when Category C limits are met since sufficient capacity exists to perform the intended function. These values are discussed in more detail in the ACTIONS section of this Bases.

APPLICABLE The initial conditions of design basis transient and SAFETY ANALYSES accident analyses in Chapters 6, Engineering Safety Features, and 15, Accident Analyses, assume all Engineered Safety Features (ESF) systems are OPERABLE. The DC electrical power systems provide normal and emergency DC power for the DGs, emergency auxiliaries, and control and A switching during all MODES of operation. The OPERABILITY of V the DC subsystem is consistent with the initial assumptions of the accident analyses and is based upon maintaining one division of DC power sources and associated distribution systems OPERABLE during accident conditions in the event of (1) an assumed loss of all offsite AC power or all onsite AC power; and (2) a worst case single failure.

Battery cell parameters satisfy Criterion 3 of the NRC Policy Statement.

LCO Battery cell parameters must remain within acceptable limits to ensure availability of the required DC power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated DBA.

Electrolyte limits are conservatively established, allowing continued DC electrical system function even with Category A and B limits not met.

4 (continued)

SYSTEM 80+ B 3.8-73 Rev. 00 16A Tech Spec Bases

Battery Cell Parameters B 3.8.6 O

BASES (continued)

APPLICABILITY The battery cell parameters are required solely for the support of the associated DC electrical power subsystems.

Therefore, battery electrolyte is only required when the DC power source is required to be OPERABLE. Refer to the Applicability discussion in the Bases for LCO 3.8.4 and LCO 3.8.5.

ACTIONS A.1. A.2. ari A.3 Operation with one or more cells in one or more batteries parameters not within limits (i.e., Category A limits not met, or Category B limits not met, or Category A and B limits not met), but within the allowable value (Category C limits are met) specified in Table 3.8.6-1 is permitted for a limited period since sufficient capacity exists to perform the intended function. The pilot cell electrolyte level and float voltage are required to be verified to meet the Category C allowable values within one hour (Required Action A.1). This check will provide a quick indication of the status of the remainder of the battery cells. One hour provides time to inspect the electrolyte level and to confirm the float voltage of the pilot cells. The Completion Time is based on engineering judgment taking into consideration the time required to perform the Required Action.

Verification that the Category C allowable values are met for all cells (Required Action A.2) will ensure that during the time to restore the parameters to the Category A and B limits that the battery will still be capable of performing its intended function. Twenty-four hours are provided to complete Required Action A.2 because specific gravity measurements must be obtained for each connected cell. As such, the Completion Time is based on engineering judgment taking into consideration the time required to perform the Required Action and the assurance provided by Required Action A.1 that the battery cell parameters are not severely degraded.

Continued operation is only permitted for 31 days before battery cell parameters must be restored to within Category A and B limits with the consideration that, while battery capacity is degraded, sufficient capacity exists to perform (continued)

SYSTEM 80+ B 3.8-74 Rev. 00 16A Tech Spec Bases

4 Battery Cell Parameters B 3.8.6 '

O BASES ACTIONS A.1. A.2. and A.3 (continued) j the intended function and to allow time to fully restore the .

battery cell parameters to normal limits. This time is l 4

acceptable prior to declaring the battery inoperable. ;

During this 31 day period- :

a. the allowable values for electrolyte level (above the .

top of the plates and not overflowing), ensures no physical damage to the plates with an adequate electron transfer capability;

b. the allowable value for the average specific gravity

. of all the cells a [1.195] [0.020] below the manufacturer's recommended fully charged nominal .

specific gravity], or a battery charging current that had stabilized at less than (2) amperes on a float charge is the manufacturer's recommendation and '

ensures that the decrease in capacity will be less than the margin provided in sizing; I

c. the allowable value for an individual cell's specific gravity [0.020] below the average of all the connected

> cells ensures that an individual cell's specific gravity will not be [0.040] below the manufacturer's fully charged nominal specific gravity. This is the value recommended by the manufa:turer to ensure the overall capability of the battery will be maintained within an acceptable limit; and

d. the allowable value for an individual cell's float voltage [> 2.07] volts ensures the battery's !

capability to perform its design function.

The 31 day Completion Time is based on engineering judgment taking into consideration that while battery capacity is degraded, sufficient capacity exists to perform the intended function and allow time to fully restore the battery cell parameters to normal limits.

When any battery parameter is outside the Category C

- allowable value, sufficient capacity to supply the maximum expected load requirements is not assured and Condition B would be entered.

( \

k (continued) i SYSTEM 80+. B 3.8-75 Rev. 00 l 16A Tech Spec Bases

Battery Cell Parameters B 3.8.6 O

BASES ACTIONS L1 (continued)

With one or more batteries with one or more battery cell parameters outside the Category C allowable value for any connected cell, sufficient capacity to supply the maximum expected load requirement is not assured and the corresponding DC electrical power subsystem must be declared inoperable. Additionally, other potentially extreme conditions, such as not completing the Required Actions of Condition A within the required Completion Time or average electrolyte temperature of representative cells falling below [60]*F, are also cause for imediately declaring the associated DC electrical power subsystem inoperable.

SURVEILLANCE SR 3. 8. 6. l_

REQUIREMENTS This SR verifies that Category A battery cell parameters are consistent with IEEE 450 (Ref.1), which recomends regular battery inspections (at least one per month) including voltage, specific gravity, and electrolyte temperature of pilot cells.

SR 3.8.6.2 The quarterly inspection of specific gravity and voltage is consistent with IEEE 450 (Ref.1). In addition, within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of a battery discharge < (110] V or a battery overcharge > [150] V, the battery must be demonstrated to meet Category B limits. This inspection is also consistent with IEEE 450 (Ref.1), which recomends special inspections ,

following a severe discharge or overcharge, to ensure that no significant degradation of the battery occurs as a consequence of such discharge or overcharge.

SR 3.8.6.3 This Surveillance verification that the average temperature l of representative cells is > [60] F is consistent with a !

recomendation of IEEE 450 (Ref.1), which states that the temperatore of electrolytes in representative cells should be determined on a quarterly basis.

(continued)

SYSTEM 80+ B 3.8-76 Rev. 00 16A Tech Spec Bases

a r

Battery Cell Parameters B 3.8.6 V

BASES SURVEILLANCE SR 3.8.6.3 (continued)

REQUIREMENTS Lower than normal temperatures act to inhibit or reduce battery capacity. This SR ensures that the operating temperatures remain within an acceptable operating range. i This limit is based on manufacturer recomendations.

I Table 3.8.6-1 This table delineates the limits on electrolyte level, float '

voltage, and specific gravity for three different '

categories. The meaning of each category is discussed below.

Category A defines the normal parameter limit for each designated pilot cell in each battery. The cells selected .

as pilot cells are those whose temperature, voltage and l electrolyte specific gravity approximate the state of charge 1 of the entire battery.

The Category A limits specified for electrolyte level are based on manufacturer recommendations and are consistent !

with the guidance in IEEE 450 (Ref. 1), with the extra l

% inch allowance above the high water level indication for operating margin to account for temperatures and charge effects. In addition to this allowance, Note a. to ;

Table 3.8.6-1 permits the electrolyte level to be above the i specified maximum level during equalizing charge, provided it is not overflowing. .These limits ensure that the plates ,

suffer no physical damage, and that adequate electron i transfer capability is maintained in the event of transient conditions. IEEE 450 (Ref.1) recommends that electrolyte level readings should be made only after the battery has been at float charge for at least 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

The Category A limit specified for float voltage is a [2.13] V per cell. This value is based on a recommendation of IEEE 450 (Ref.1), which states that prolonged operation of cells < [2.13] V can reduce the life ,

expectancy-of cells. l The Category A limit specified for specific gravity for each pilot cell is a [1.200] (0.015 below the manufacturer fully charged nominal specific gravity or a battery charging i

(continued)

SYSTEM 80+ . B 3.8-77 Rev. 00 16A Tech Spec Bases

Battery Cell Parameters B 3.8.6 O

BASES SURVEILLANCE Table 3.8.6-1 (continued)

REQUIREMENTS current that had stabilized at a low value). This value is characteristic of a charged cell with adequate capacity.

According to IEEE 450 (Ref. 3), the specific gravity readings are based on a temperature of 77 F (25'C).

The specific gravity readings are corrected for actual electrolyte temperature and level. For each 3*F (1.67 C) above 77 F (25'C), 1 point (0.001) is added to the reading; 1 point is subtracted for each 3*F below 77*F. The specific .

gravity of the electrolyte in a cell increases with a loss of water due to electrolysis or evaporation. Note b. to Table 3.8.6-1 requires the above mentioned correction for electrolyte level and temperature, with the exception that level correction is not required when battery charging ;

current is < [2] amps on float charge. This current provides, in general, an indication of overall battery ;

condition.

I Because of specific gravity gradients that are produced during the recharging process, delays of several days may l occur while waiting for the specific gravity to stabilize.

A stabilized charger current is an acceptable alternative to specific gravity measurement for determining the state of j charge of the designated pilot cell. This phenomenon is discussed in IEEE 450 (Ref. 3). Note c. to Table 3.8.6-1 allows the float charge current to be used as an alternate to specific gravity for up to [7 days] following a battery equalizing recharge.

Category B defines the normal parameter limits for each ;

connected cell. The term " connected cell" excludes any I battery cell that may be jumpered out.

The Category B limits specified for electrolyte level and j float voltage are the same as those specified for Category A i and have been discussed above. The Category B limit {

specified for specific gravity for each connected cell is a [1.195] (0.020 below the manufacturer fully charged, nominal specific gravity) with the average of all connected cells > [1.205] (0.010 below the manufacturer fuily charged, !

nominal specific gravity). )

i l

(continued) 9I i l

SYSTEM 80+ B 3.8-78 Rev. 00 16A Tech Spec Bases ;

I

i h

Battery cell Parameters l B 3.8.6 l

l

.8ASES i SURVEILLANCE Table 3.8.6-1 (continued) }

REQUIREMENTS These values are based on manufacturer's recommendations. ;

j The minimum specific gravity value required for.each cell !

ensures that the' effects of, a highly charged or newly - !

installed cell will not mask overall degradation of the battery. Note b. to Table 3.8.6-1 requires correction of specific gravity for electrolyte temperature and level. !

i This level correction.is not required when battery charging current is < [2] amps on float charge. ,

i Category C defines the allowable values for each connected :

cell. These values, although reduced, provide assurance :

that sufficient capacity. exists to perform the intended :

function and maintain a margin of safety. When any battery- ;

, parameter is outside the Category C allowable value, the :

assurance of sufficient capac'ty described above no longer

- exists and the battery must be declared inoperable. l The Category C allowable values specified for electrolyte r level (above the top of the plates and not overflowing)

ensure that_the plates suffer no physical damage and l '

maintain adequate electron transfer capability. The j Category C allowable value for float voltage is based on IEEE 450 (Ref. 3), which states that a ceii voltage of

[2.07] V or below, under float conditions and not caused by elevated temperature of the cell, indicates internal cell problems and may require cell replacement.

t

/ The Category C allowable value of average specific gravity

~ = [1.195] is based on manufacturer recommendations (0.020 i below the manufacturer recommended fully charged, nominal specific gravity). In addition to that limit,.it is required that the specific gravity for each connected cell

must be no less than [0.020] below the average of all connected cells. This limit ensures that the effect of a l: highly charged or new cell does not mask overall degradation

of the battery. The Notes to Table 3.8.6-1 are applicable j to Category A, B, and C specific gravity.

I i

l (continued) l e SYSTEM 80+ B 3.8-79 Rev. 00 E 16A. Tech Spec Bases -j

i Battery Cell Parameters B 3.8.6 BASES (continued) 1 REFERENCES 1. IEEE 450-1980, "IEEE Recommended Practice for Maintenance, Testing, and Replacement of Large Lead Storage Batteries for Generating Stations and Substations."

1

2. IEEE 308-1978, "IEEE Standard Criteria for Class IE Power Systems for Nuclear Power Generating Stations."

3. Chapter 6.

4. Chapter 15.

O O

SYSTEM 80+ B 3.8-80 Rev. 00 16A Tech Spec Bases

[

Inverters - Operating B 3.8 ELECTRICAL POWER SYSTEMS-

'B 3.8.7 Inverters-Operating-l BASES- _

-1 BACKGROUND The inverters are the preferred source of power for the AC.

Vital buses because of the stability and reliability they ,

achieve.in being sowered from the 120 VDC battery source. :

'The function of tie inverter is to convert DC- electrical l i

power to AC electrical power, thus providing an uninterruptible power source for the instrumentation and. l controls for the Reactor Protective System (RPS) and the I

~ Engineered Safety Feature Actuation System (ESFAS).

Specific details on inverters and their operating .j characteristics are found in Chapter 8 (Ref. 1). ;

)

APPLICABLE The. initial' conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in Chapter 6 (Ref. 2) and Chapter 15 (Ref. 3) assume Engineered Safety Feature systems are OPERABLE. The DC to AC inverters are designed to provide O the required capacity, capability, redundancy, and reliability to ensure the availability of.necessary power to the RPS and ESFAS instrumentation and controls so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

The OPERABILITY.of the inverters is consistent with the initial assumptions of the accident analyses and is based on meeting the design basis of the unit. This includes maintaining required AC vital buses OPERABLE during accident conditions in the event of:

a. . An assumed loss of all offsite AC electrical power or all onsite AC electrical power; and

b. A worst case single failure.

-Inverters are a part of the distribution' system and, as such, satisfy Criterion 3 of the'NRC Policy Statement.

O (continued) l SYSTEM 80+ 'B 3.8-81 Rev._00 16A. Tech Spec Bases

Inverters - Operating B 3.8.7 O

BASES (continued)

LCO The inverters ensure the availability of AC electrical power for the systems instrumentation required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (A00) or a postulated DBA.

Maintaining the required inverters OPERABLE ensures that the redundancy incorporated into the design of the RPS and ESFAS instrumentation and controls is maintained. The six battery powered inverters (three per division) ensure an uninterruptible supply of AC electrical power to the AC ,

vital buses even if the 4.16 kV safety buses are l de-energized.

OPERABLE inverters require the associated AC vital bus to be powered by the inverter, which has the correct DC voltage l

([120] V) applied from a battery to the inverter input, and inverter output AC voltage and frequency within tolerances.

This LC0 is modified by a Note that allows one inverter to be disconnected from a battery for s 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , if the vital ,

bus (es) is powered from a Class 1E constant voltage l transformer during the period and all other inverters are l operable. This allows an equalizing charge to be placed on one battery. If the inverter (s) were not disconnected, the resulting voltage condition might damage the inverter (s).

These provisions minimize the loss of equipment that would occur in the event of a loss of offsite power. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months time period for the allowance minimizes the time during which a loss of offsite power could result in the loss of equipment energized from the affected AC vital bus while .

taking into consideration the time required to perform an l equalizing charge on the battery bank. When utilizing the j allowance, if one or more of the provisions is not met i (e.g., 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months time period exceeded), LC0 3.0.3 must be entered immediately. ,

The intent of this Note is to limit the number of inverters i that may be disconnected. Only those inverters associated l with the single battery undergoing an equalizing charge may !

be disconnected. All other inverters must be aligned to their associated batteries, regardless of the number of inverters or unit design.

(continued)

OlI SYSTEM 80+ B 3.8-82 Rev. 00 16A Tech Spec Bases l l

l Inverters - Operating j B 3.8.7

~

BASES:.(continued) l l

APPLICABILITY The inverters are required to be OPERABLE in MODES 1, 2, 3, !

and 4 to ensure that: ,

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result ,

of A00s or abnormal transients; and f

b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained ,

in the event of a postulated DBA. .

Inver?.er requirements for MODES 5 and 6 are covered in the !

Bases for LCO 3.8.8, " Inverters-Shutdown." l ACTIONS A.1 and A.2 l With a required inverter inoperable, its associated AC vital bus becomes inoperable until it is [ manually) re-energized 1 from its [ Class IE constant voltage source transformer or 1 O

' inverter using internal AC source).

Required Action A.1 is modified by a Note, which states to enter the applicable conditions and Required Actions of LC0 3.8.9, " Distribution Systems - Operating," when Condition A

' is entered with one AC vital bus de-energized. This ensures the vital bus is re-energized within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

J Required Action A.2 allows 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to fix the inoperable

inverter and return it to service. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months limit is based upon engineering judgment, taking into consideration the time required to repair an inverter and the additional risk to which the unit is exposed because of the inverter inoperability. This has to be balanced against the risk of an immediate shutdown, along with the potential challenges to safety systems such a shutdown might entail. When the AC

' vital bus is powered from its constant voltage source, it is relying upon interruptible AC electrical power sources (offsite and onsite). The uninterruptible, battery backed inverter source to the AC vital buses is the preferred source for powering instrumentation trip setpoint devices. ,

l l !

(continued)

' SYSTEM 80+ B 3.8-83 Rev. 00 16A Tech Spec Bases

Inverters - Operating B 3.8.7 O

BASES ACTIONS B.1 and B.2 l (continued)

If the inoperable devices or components cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LC0 does not -

apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.8.7.1 REQUIREMENTS This Surveillance verifies that the inverters are functioning properly with all required circuit breakers closed and AC vital buses energized from the inverter. The verification of proper voltage and frequency output ensures that the required power is readily available for the instrumentation of the RPS and ESFAS connected to the AC vital buses. The 7 day Frequency takes into account the redundant capability of the inverters and other indications available in the control room that alert the operator to inverter malfunctions.

REFERENCES 1. Chapter 8.

2. Chapter 6.

3. Chapter 15.

O SYSTEM 80+ B 3.8-84 Rev. 00 16A Tech Spec Bases (2/95)

Inverters ^- Shutdown B 3.8.8 g

B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.8 Inverters -Shutdown BASES BACKGROUND A description of the inverters-is provided in the Bases for LC0 3.8.7, " Inverters-Operating."

ADPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in Chapter 6 (Ref.1) and Chapter 15 (Ref. 2) assume Engineered Safety Feature systems are OPERABLE. The DC to AC inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of necessary power to.

the Reactor Protective System and Engineered Safety Features Actuation System instrumentation and controls so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. ,

'O The OPERABILITY of the inverters is consistent with the d initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum inverters to each AC vital bus during MODES 5 and 6 ensures that:

a. The unit can be maintained in the shutdown or refueling condition for extended periods;

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and 1

c. Adequate power is available to mitigate events

- postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.

The inverters were previously identified as part of the distribution system and, as such, satisfy Criterion 3 of the NRC Policy Statement.

P l

A

'U (continued)

SYSTEM 80+ B 3.8-85 Rev. 00 16A Tech Spec Bases

Inverters - Shutdown B 3.8.8 O

BASES (continued' LC0 The inverters ensure the availability of electrical power for the instrumentation for systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated DBA. The battery powered inverters provide uninterruptible supply of AC electrical power to the AC vital buses even if the 4.16 kV safety buses are de-energized. OPERABILITY of the inverters requires that the vital bus be powered by the inverter. This ensures the availability of sufficient inverter power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents and inadvertent reactor vessel draindown).

APPLICABILITY The inverters required to be OPERABLE in MODES 5 and 6 provide assurance that:

a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core in '

case of an inadvertent draindown of the reactor vessel- !

b. Systems needed to mitigate a fuel handling accident are available;

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

Inverter requirements for MODES 1, 2, 3, and 4 are covered l in LCO 3.8.7.

1 ACTIONS A.I. A.2.1. A.2.2. A.2.3. A.2.4. and A.2.5 If two divisions are required by LC0 3.8.10, " Distribution Systems-Shutdown," the remaining OPERABLE inverters may be capable of supporting sufficient required features to allow (continued)

SYSTEM 80+ B 3.8-86 Rev. 00 16A Tech Spec Bases

t j

. 1 Inverters - Shutdown ;

' B 3.8.8 :

,O ~

L BASES

. ACTIONS . A.1. A.2.1. A.2.2. A.2.3. A'.2.4. and'A.2.5 (continued) 4 continuation of CORE ALTERATIONS, fusi movement, operations ;

with a potential. for draining-the reactor vessel, and i

- operations with a potential for positive reactivity 4 additions. The Required Action to suspend positive- :

reactivity additions does not preclude actions to maintain !

or increase reactor vessel. inventory, provided the required .:

- SDM is maintained. .By the allowance of.the option to declare required features inoperable with the associated -

inverter (s) inoperable, appropriate restrictions will be.

i - implemented in accordance with the affected required i

' features LCOs' Required Actions. In many instances, this ;

I option may involve undssired administrative efforts. !

Therefore, the allowance for sufficiently conservative i actions is made (1.e., to suspend CORE ALTERATIONS, movement s'

of irradiated fuel assemblies, activities that could potentially result in inadvertent draining of the reactor vessel, and operations involving positive reactivity '

i additions). {

Suspension of these activities shall not preclude completion i of actions to establish a safe conservative condition. 1 These actions minimize the probability of the occurrence of :

postulated events. It is further requi ed to immediately initiate action to restore the required inverters and to g

continue this action until restoration is accomplished in order to provide'the necessary inverter power to the unit j safety systems.

Notwithstanding performance of the above conservative Required Actions,-the unit is still without sufficient AC vital power sources to oporate in a safe manner. Therefore, action must be initiated to restore the minimum required AC L vital power sources and continue until the LC0 requirements a are restored. l 1

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The

, restoration of the required inverters should be completed as quickly as possible in order to minimize the time the unit safety systems may be without power or powered from a constant voltage source transformer.

O (continued)

LSYSTEM 80+ .

B 3.8-87 Rev. 00 16A Tech Spec Bases 4.

,,~

'm

. - , ,- . - . . . . . . , ~ , ..-~.,-~.--,w., ,,,vn- - , , - . , - , ,--

Inverters - Shutdown B 3.8.8 BASES (continued)

SURVEILLANCE SR 3.8.8.1 REQUIREMENTS This Surveillance verifies that the inverters are functioning properly with all required circuit breakers closed and AC vital buses energized from the inverter. The verification of proper voltage and frequeacy output ensures that the required power is readily availa' ole for the instrumentation connected to the AC vital buses. The 7 day Frequency takes into account the redundant capability of the inverters and other indications available in the control room that alert the operator to inverter malfunctions.

REFERENCES 1. Chapter 6.

2. Chapter 15.

1 i

l i

i i

O SYSTEM 80+ B 3.8-88 Rev. 00 16A Tech Spec Bases

Distribution Systems - Operating B 3.8 ELECTRICAL POWER SYSTEMS ;

B 3.8.9 Distribution Systems - Operating BASES I

BACKGROUND The onsite Class IE AC, DC, and AC Vital Electrical Power~

Distribution Systems are divided into two redundant and

independent divisional subsystems. j The primary distribution of the onsite AC Power M stribution ;

System is at.4160 volts. There are two 4160 vr,lt emergency j buses. Power is distributed to the 4160 volt buses' from the offsite power sources as des:ribed in the Baser for LCO l 3.8.1, "AC Sources -Operatir,g." Control power for the 4160 l volt breakers is supplied from the Class IE batteries as !

described in the Bases for LCO 3.8.4, "DC Sources - a Operating." ,

The secondary plant distribution is at 480 volts. The 480 )

volt distribution system includes iced centers [*]. Load centers [*] are normally supplied from 4160 volt buses [*], 1 resputively, through their own transformers. The 480 volt !

O load canters are located in separate rooms in the control building. Control-power for the 480 volt breakers is i

1 supplied from the Class IE batteries as described in the 1 Bases for LCO 3.8.4, "DC Sources - Operating."

The safety-related 480 volt AC motor control centers are fed from load centers [*]. The 120 volt AC vital buses are arranged in six load groups (A, B, C, D, Division I, II) and are normally powered from their 125 volt DC switchboards, respectively via the associated DC/AC inverter. The alternate power supply for the vital buses is a Class IE constant voltage source powered from the same Division as the associated inverter. Use of Class IE inverters is governed by LCO 3.8.7, " Inverters-Operating."

The 125 volt DC load groups distribution centers are normally powered from their battery charger. The battery chargers are powered from their Divisional 480 volt MCC. A loss of AC power or failure of the battery charger places the associated battery in service to supply its 125 volt DC switchboard.

Value to be determined by system detail design.

(continued).

,a

' SYSTEM 80+ B 3.8-89 Rev. 00 16A Tech Spec Bases

Distribution Systems - Operating B 3.8.9 O

BASES BACKGROUND The list of all required distribution buses is located in (continued) Table C 3.8.9-1. APPLICABLE APPLICABLE The initial conditions of design basis transient and SAFETY ANALYSES accident analyses in Chapters 6, Engineering Safety Features, and 15, Accident Analyses, assume Engineered Safety Features (ESF) systems are OPERABLE. The AC, DC, and AC Vital Electrical Power Distribution Systems are designed to provide sufficient capacity, capability, redundancy and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for LC0 Sections 3.2.

(Power Distribution Limits), 3,4 (Reactor Coolant System),

and 3.6 (Containment Systems).

The OPERABILITY of the Flectrical Power Distribution Systems is consistent with thm initial assumptions of the accident analyses and are based upon maintaining at least one of the onsite AC, DC, and Vital AC power sources and associated distribution systems OPERABLE during accident conditions in the event of (1) an assumed loss of all offsite power or all onsite AC power, and (2) a worst case single failure.

The distribution systems satisfy Criterion 3 of the NRC Policy Statement.

LC0 The Power Distribution System Divisions listed in Table B 3.8.9-1 ensure the availability of AC, DC, and Vital AC Electrical power for the systems required to shutdown the reactor and maintain it in a safe condition after an anticipated operational occurrence (A00) or a postulated design basis accident. Two divisions of the AC, DC, and AC Vital Electrical Power Distribution Systems are required to be OPERABLE.

Maintaining two divisions of AC, DC, and AC Vital Electrical Power Distribution Systems OPERABLE ensures that the redundancy incorporated into the design of ESF is not defeated. Either division of the distribution system is capable of providing the necessary electrical power to i?.s (continued)

SYSTEM 80+ B 3.8-90 Rev. 00 16A Tech Spec Bases

Distribution Systems - Operating

(~"

J' BASES LC0 corresponding ESF division. Therefore, a single failure (continued) within any system or within the electrical distribution systems will not prevent safe shutdown of the plant.

OPERABILITY is met, as it applies to AC and DC Distribution Systems, provided the associated bus is energized to its proper voltage. The AC vital bus is OPERABLE when it is powered from its associated inverter and DC bus at proper voltage and frequency. ;

Inoperable distribution systes:s do not necessarily result in inoperable components unless directed by Required Actions. 1 I

APPLICABILITY The AC, DC, and AC Vital Electrical Power Distribution Systems are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant Q pressure boundary limits are not exceeded as a result V of anticipated operational occurrences or abnormal transients; and

b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated DBA.

AC, DC, and AC Vital Electrical Power Distribution System requirements for MODES 5 and 6 are covered in the Bases for LC0 3.8.10, " Distribution Systems - Shutdown."

ACTIONS Al With one or more required AC buses, load centers, motor control centers, or distribution panels, except AC vital buses, in one division inoperable, the remaining AC electrical power distribution subsystem in the other division is capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure.

The overall reliability is reduced, however, because a single failure in the remaining power distribution n)-

(

' (continued)

SYSTEM 80+ B 3.8-91 Rev. 00 16A Tech Spec Bases

Distribution Systems - Operating B 3.8.9 O

BASES ACTIONS AJ (continued) subsystems could result in the minimum required ESF functions not being supported. Therefore, the required AC buses, load centers, motor control centers, and distribution panels must be restored to OPERABLE status within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months .

Condition A worst scenario is one division without AC power (i.e., no offsite power to the division and the associated DG inoperable). In this condition, the unit is more vulnerable to a complete loss of AC power. It is, therefore, imperative that the unit operator's attention be focused on minimizing the potential for loss of power to the remaining division by stabilizing the unit, and on restoring power to the affected division. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months time limit before requiring a unit shutdown in this condition is acceptable because of:

a. The potential for decreased safety if the unit operator's attention is diverted from the evaluations and actions necessary to restore power to the affected division, to the actions associated with taking the unit to shutdown within this time limit; and

b. The potential for an event in conjunction with a single failure of a redundant component in the division with AC power.

The second Conpletion Time for Required Action A.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DC bus is inoperable and subsequently restored OPERABLE, the LCO may already have been not met for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . This could lead to a total of 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , since initial failure of the LCO, to restore the AC distribution system. At this time, a DC circuit could again become inoperable, and AC distribution restored OPERABLE.

This could continue indefinitely.

The Completion Time allows for an exception to the normal

" time zero" for beginning the allowed outage time " clock."

This will result in establishing the " time zero" at the time (continued)

SYSTEM 80+ B 3.8-92 Rev. 00 16A Tech Spec Bases

'.~

Distribution Systems - Operating B 3.8.9 ,

c ;

BASES I

ACTIONS - M (continued) the LCO was initially not met, instead of the time- l Condition A was entered. The 16 hour1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months Completion Time is an acceptable limitation on this potential to fail to meet the 4

LCO indefinitely.

l M

With one AC vitc1 bus inoperable, the remaining OPERABLE AC vital buses are capable of supporting the minimum safety l functions necessary to shutdown the unit and maintain it in !

the safe shutdown condition. However, overall reliability l 1s reduced since an additional single failure could result ,

in the minimum required ESF functions not being supported. l Therefore, the required AC vital bus must be powered from 1 its alternate Class IE constant voltage source transformer within two hours. i a

r Condition B represents one AC vital bus without power; :

potentially both the DC source and the associated AC source (

are nonfunctioning. In this situation, the unit is :

significantly more vulnerable to a complete loss of all noninterruptible power. It is, therefore, imperative that !

the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining !

vital buses, and restoring power to the affected vital bus.

This 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is more conservative than Completion Times

' allowed for the vast majority of components that are without adequate vital AC power. Taking exception to LCO 3.0.2 for i; i

components without adequate vital AC power, which would have the Required Action Completion Times shorter than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months if '

declared inoperable, is acceptable because of:

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) i and not allowing stable operations to continue; i

b. The potential for decreased safety by requiring entry >

into nunerous applicable Conditions and Required l Actions far components without adequate vital AC power ,

and not providing sufficient time for the operators to i perform the necessary evaluations and actions for t restoring power to the affected division; and !

O (continued) l

. SYSTEM 80+ B 3.8-93 Rev. 00 -

16A Tech Spec Bases ,

Distribution Systems - Operating B 3.8.9 BASES ACTIONS JL1 (continued)

c. The potential for an event in conjunction with a single failure of a redundant component.

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time takes into account the importance to safety of restoring the AC vital bus to OPERABLE status, the redundant capability afforded by the other OPERABLE vital buses, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action B.1 establishes a limit on the maximum allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an AC bus is inoperable and subsequently returned OPERABLE, the LC0 may already have been not met for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . This could lead to a total of 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , since initial failure of the LCO, to restore the vital bus distribution system. At this time, an AC division could again become inoperable, and vital bus distribution restored OPERABLE. This could continue indefinitely.

This Completion Time allows for an exception to the normal

" time zero" for beginning the allowed outage time " clock."

This will result in establishing the " time zero" at the time the LC0 was initially not met, instead of the time Condition B was entered. The 16 hour1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months Completion Time is an acceptable limitation on this potential to fail to meet the LC0 indefinitely.

L_l With DC bus (es) in one division inoperable, the remaining DC electrical power distribution subsystems are capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overal' reliability is reduced, however, because a single failure in the remaining DC electrical power distribution subsystem could result in the minimum required ESF functions not being supported. Therefore, the required DC buses must be restored to OPERABLE status within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

(continued)

SYSTEM 80+ B 3.8-94 Rev. 00 16A Tech Spec Bases

)

Distribution Systems - Operating

-B 3.8.9

\

BASES '

ACTIONS L1 (continued) l Condition C represents one division without adequate DC ;

power; potentially both.with the battery significantly ;

degraded and the associated charger nonfunctioning. In this l situation, the unit is ..m 'ficantly more vulnerable to a i complete loss of all DC wer. It is, therefore, imperative :

that the operator's attention focus on stabilizing the unit, !

minimizing the potential for loss of power to the remaining divisions and restoring power to the affected division. :

This 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is more conservative than Completion Times allowed for the vast majority of components which would be ;

without power. Taking exception to LC0 3.0.2 for components without adequate DC power, which would have Required Action Completion Times shorter than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , is acceptable because of: j

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) l while allowing stable operations to continue; l

b. The potential for decreased safety by requiring entry into numerous applicable Conditions and Required Actions for components without DC power and not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected division; and

c. The potential for an event in conjunction with a single failure of a redundant component.

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time for DC buses is consistent with Regulatory Guide 1.93 (Ref.1).

The second Completion Time for Required Action C.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition C is entered while, for instance, an AC bus is inoperable and subsequently returned OPERABLE, the LC0 may already have been not met for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . -This could lead to a total of 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , since initial failure of the LCO, to restore the DC :

distribution system. At this time, an AC division could i O

.(continued) l SYSTEM 80+ B 3.8-95 Rev. 00 )

16A Tech Spec Bases

Distribution Systems - Operating B 3.8.9 9

BASES ACTIONS L.1 (continued) again become inoperable, and DC distribution restored OPERABLE. This could continue indefinitely.

This Completion Time allows for an exception to the normal

" time zero" for beginning the allowed outage time " clock."

This will result in establishing the " time zero" at the time the LCO was initially not met, instead of the time Condition C was entered. The 16 hour1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.

D.1 and 0.2 If the inoperable distribution subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LC0 does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.8.9.1 REQUIREMENTS This Surveillance verifies that the AC, DC, and Vital AC Electrical Power Distribution Systems are functioning properly with all the desired circuit breakers closed and the buses energized from normal power. The verification of proper voltage availability on the buses ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. The 7 day Frequency takes into account the redundant capability of the AC, DC, and AC vital bus electrical power distribution subsystems, and other indications available in the control room that alert the operator to subsystem malfunctions.

O (continued)

SYSTEM 80+ B 3.8-96 Rev. 00 16A Tech Spec Bases

n. _ _ _ . . _ _ __ . _ . . _ . _.

l i

Distribution Systems - Operating.

7 ,- ,s B 3.8.9 BASES (continued)

REFERENCES 1. Regulatory Guide 1.93, " Availability of Electric Power Sources," December 1974. ;

)

2. Chapter 6. .

3. Chapter 15. :

i t

o i

l l

l i

i l

1 l

l f

i i

1

((()

i SYSTEM 80+ B 3,8-97 Rev. 00 I 16A Tech Spec. Bases ,

. i

~_s. . - -

Distribution Systems - Operating B 3.8.9 Table B 3.8.9-1 (Page 1 of 1)

O Electrical Power Distribution Systems TYPE VOLTAGE DIVISION 1 DIVISION 2 AC Emergency 4160 VAC [*] [*]

Buses 480 VAC [*] [*] :

.DC Buses 125 VDC [*] from battery [*] from battery

[*] from charger [*] from charger [*]

[*]

[*] from battery

[*] from charger [*]

[*] from charger ,

[*] l AC Vital Buses 120 VAC [*] from inverter [*] from inverter O l l

l

[*] from inverter [*] from inverter

[*] [*]

1

Value to be determined by system detail design.

l i

O SYSTEM 80+ B 3.8-98 Rev. 00 l 16A Tech Spec Bases

i Distribution Systems - Shutdown B 3.8.10 7-~g B 3.8 ELECTRICAL POWER SYSTEMS-t B 3.8.10 Distribution Systems - Shutdown BASES I 11 1 BACKGROUND A description of the AC, DC, and AC Vital Power Distribution Systems is provided in the Bases for LCO 3.8.9,

" Distribution Systems - Operating."

APPLICABl.E The initial conditions of Design Basis Accident and transient analyses in Chapter 6 (Ref.1) and Chapter 15 SAFETY ANALYSES (Ref. 2) assume Engineered Safety Feature (ESF) systems are OPERABLE. The AC, DC, and AC vital bus electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure ,

the availability of necessary power to ESF systems so that

the fuel, Reactor Coolant System, and containment design limits are not exceeded. :

The OPERABILITY of the AC, DC, and AC vital bus electrical 1

' (( power distribution system is consistent with the initial assumptions of the accident analyses and the requirements l

for the supported systems' OPERABILITY.

The OPERABILITY of the minimum AC, DC, and AC vital bus electrical power distribution subsystems during MODES 5 and 6 ensures that:

a. The unit can be maintained in the shutdown or refueling condition for extended periods; ,

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and

c. Adequate power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.

The AC and DC electrical power distribution systems satisfy Criterion 3 of the NRC Policy Statement.

(D v

(continued)

SYSTEM 80+ B 3.8-99 Rev. 00 16A Tech Spec Bases

Distribution Systems - Shutdown B 3.8.10 0

BASES (continued)

LC0 Various combinations of subsystems, equipment, and components are required OPERABLE by other LCOs, depending on the specific unit condition. Implicit in those requirements is the required OPERABILITY of necessary support required features. This LCO explicitly requires energization of the portions of the electrical distribution system necessary to support OPERABILITY of required systems, equipment and components all specifically addressed in each LCO and implicitly required via the definition of OPERABILITY.

Maintaining these portions of the distribution system energized ensures the availability of sufficient power to operate the unit in a safe manner to mitigate the consequences of postulated events during shutdown (e.g.,

fuel handling accidents and inadvertent reactor vessel draindown).

APPLICABILITY The AC, DC, and AC Vital bus electrical power distribution subsystems required to be OPERABLE in MODES 5 and 6 provide assurance that:

a. Systems to provide adequate coolant inventory makeup is available for the irradiated fuel in the core in case of an inadvertent draindown of the reactor vessel;

b. Systems needed to mitigate a fuel handling accident are available;

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown or refueling condition.

AC, DC, and AC Vital electrical power distribution subsystems requirements for MODES 1, 2, 3, and 4 are addressed in LC0 3.8.9, " Distribution Systems - Operating."

O (continued)

SYSTEM 80+ B 3.8-100 Rev. 00 16A Tech Spec Bases

?

Distribution Systm - Shutdown p B 3.8.10 >

N BASES (continued)

A.1. A.2.1. A.2.2. A.2.3. A.2.4. A.2.5. and A.2.6 ACTIONS Although redundant required features may require redundant divisions of electrical power distribution subsystems to be OPERABLE, one OPERABLE distribution subsystem division may be capable of supporting sufficient required features to e allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel.

By allowing the option to declare required features associated with an inoperable distribution subsystem

~

inoperable, appropriate restrictions are implemented in accordance with the affected distribution subsystems LCO's Required Actions. In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made '

(i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies, any activities that could result in '

inadvertent draining of the reactor vessel, and operations involving positive reactivity additions). ,

O V

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition.

These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC and DC electrical l power distribution subsystems and to continue this action until restoration is accomplished in order to provide the necessary power to the unit safety systems. i Not withstanding performance of the above conservative Required Actions, a required Shutdown Cooling System (SCS) may be inoperable. In this case, these Required Actions of Condition A discussed above do not adequately address the concerns relating to coolant circulation and heat removal.

Pursuant to LC0 3.0.6, the SCS ACTIONS would not be entered.

Therefore, the Required Actions of Condition A direct declaring SCS inoperable, which results in taking the

. appropriate SCS ACTIONS.

J The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required distribution subsystems should be completed as quickly as possible in order to minimize the time the unit safety systems may be without power.

4 A l U :

(continued) f SYSTEM 80+- B 3.8-101 Rev. 00 l 16A Tech Spec Bases .j

Distribution Systems - Shutdown B 3.8.10 0

BASES (continued)

SURVEILLANCE SR 3.8.10.1 REQUIREMENTS This Surveillance verifies that the AC, DC, and AC vital bus electrical power distribution system is functioning properly, with all the buses energized. The verification of proper voltage availability on the buses ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. The 7 day Frequency takes into account the redundant capability of the electrical power distribution subsystems, and other indications available in the control room that alert the operator to subsystem malfunctions.

REFERENCES 1. Chapter 6.

2. Chapter 15.

O O

SYSTEM 80+ B 3.8-102 Rev. 00 16A Tech Spec Bases

. , - ._ _ .~ . - . _ _ _._ _- .. .._ _ ._..~._ ___ _ _ _

r a j

'j

-Boron Concentration B 3.9.1' j t >

t 1

B 3.9 REFUELING OPERATIONS:

i B 3.9.1 Boron Concentration' f 1

BASES i

The limit on the boron concentration of the Reactor Coolant i BACKGROUND

System (RCS), refueling cavity.and refueling canal during l j refueling ensures that the reactor remains subcritical- i

+ during MODE 6. The limit includes an uncertainty allowance i of 50 ppe.- ;

Refueling boron' concentration is the soluble boron l concentration in the reactor coolant in each of these !

' volumes having direct access to the reactor core during . !

refueling or fuel handling. The soluble boron concentration i offsets the fuel reactivity and is measured by chemical i analysis of the reactor coolant. The refueling boron l concentration specified'in the Core Operating Limits Report .l (COLR) ensures the K of the core will remain s 0.95 j during fuel handling,,w,ith Control Element Assemblies (CEAs) and fuel' assemblies assumed to.be in the most adverse (least l

.( negative reactivity) configuration allowed by plant procedures. l c

General Design Criteria 26 of 10 CFR Part 50, Appendix A )-

requires two independent reactivity control systems of different design principles be provided (Ref.1). One of i these systems must be capable of holding the reactor core ;

subcritical under cold conditions. The Chemical and Volume l Control System (CVCS) is the system capable of maintaining ;

the-reactor subcritical in cold conditions by maintaining the boron concentration.

y .

l The reactor is brought to shutdown conditions before ~l beginning operations to open the reactor vessel for ;

refueling. After the RCS is cooled and depressurized, and !

the reactor vessel head is unbolted, the head is slowly- i raised. The refueling cavity and canal are then flooded by j pumping borated water from the In-containment Refueling l

' Water Storage Tank (IRWST) using the Containment Spray l l System pump (s).

1 .

' 'If additions of boron are required after the vessel has been l 4 .

. opened, the CVCS makes the additions through the RCS and open vessel. The pumping action of the Shutdown Cooling !

!O W

.(continued) !

LSYSTEM80+ B 3.9-1 Rev. 00-

, 16A Tech. Spec Bases: :

l

Boron Concentration B 3.9.1 O

BASES BACKGROUND System (SCS) and natural circulation due to thermal driving (continued) heads in the vessel and cavity mix the added concentrated boric acid with the water in the RCS and the refueling canal. The SCS is kept in service during the refueling period to assist in maintaining the boron concentration in the RCS, the refueling canal, and the refueling cavity above the COLR limit and to remove core decay heat and provide forced circulation in the RCS.

APPLICABLE SAFETY ANALYSIS During refueling operations the reactivity condition of the core is consistent with the initial conditions assumed for the boron dilution accident in the accident analysis and is conservative for MODE 6. The magnitude of the boron concentration is based on the nuclear design of each fuel cycle. It is further based on the core reactivity at the beginning of each fuel cycle (the end of refueling) and includes an uncertainty allowance (50 ppm).

The required boron concentration and the unit refueling procedures that demonstrate the correct fuel loading plan (including full core mapping) ensure the K,,, of the core will remain s .95 during the refueling operation. Hence, at least a 5% AK/K margin of safety is established during refueling.

During refueling, the water volume in the spent fuel pool, the transfer canal, the refueling cavity, the refueling canal and the reactor vessel form a single mass. As a result, the soluble baron concentration is the same in each of these volumes (Ref. 2).

The limiting boron dilution accident occurs in MODE 5, REDUCED RCS INVENTORY. A detailed discussion of this event is orovided in Reference 6.

The RCS boron concentration satisfies Criterion 2 of the NRC Policy Statement.

O (continued)

SYSTEM 80+ B 3.9-2 Rev. 00 16A Tech Spec Bases

Boron Concentration g B 3.9.1 BASES (continued)

LCO The LCO 3.9.1 requires that a minimum boron concentration be maintained while in MODE 6. The boron concentration limit during fuel handling operations ensures a K , of 5 0.95 is maintained. Violation of the LC0 could leaY to possible inadvertent criticality during MODE 6.

APPLICABILITY This LC0 is applicable in MODE 6 to ensure that the fuel in the reactor vessel will remain suberitical. The required boron concentration ensures a K ,, of 50.95. Above MODE 6, LCO 3.1.1, " SHUTDOWN MARGIN" ensures that an adequate amount of negative reactivity is available to shutdown the reactor and to maintain the reactor subcritical.

ACTIONS A.1 and A.2 Continuation of CORE ALTERATIONS or positive reactivity O additions is contingent upon maintaining the plant in d compliance with the LCO. Jf the boron concentration of any of the filled portions of the RCS, the refueling canal, or the refueling cavity is less than its limit, all operations ,

involving CORE ALTERATIONS or positive reactivity additions .

must be suspended immediataly. Performance of Required Actions A.1 and A.2 shall not preclude completion of actions to establish a safe condition.

A.3 In addition to immediately suspending CORE ALTERATIONS and positive reactivity additions, boration to restore the i concentration must be initiated immediately. In the determination of the required combination of boration flow rate and boron concentration, there is not a unique design ;

basis event which must be satisfied. The only requirement i is to restore the boron concentration to its required value ;

as soon as possible. In order to raise the boron concentration of the RCS as soon as possible, the operator should begin boration with the best source available for unit conditions.

p O (continued)

SYSTEM 80+ B 3.9-3 Rev. 00 i 16A Tech Spec Bases

l Boron Concentration B 3.9.1 i Ol BASES ACTIONS A.3 (continued)

Once boration is initiated, it must be continued until the boron concentration is restored. The completion time depends on the amount of boron which must be injected to reach the required concentration.

SVRVEILLANCE SR 3.9.1.1 REQUIREMENTS This SR ensures the reactor coolant boron concentration in the RCS, refueling canal and refueling cavity is within the COLR limits. The boron concentration in the coolant is determined periodically by chemical analysis.

Because the likelihood of a significant reduction in the boron concentration during MODE 6 operations is remote, a minimum frequency of once every 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is a reasonable interval to verify boron concentration. The surveillance interval is based on extensive operating experience and ensures that the boron concentration is checked at adequate intervals.

REFERENCES 1. 10 CFR 50, Appendix A, Section VI, Criterion 26,

" Reactivity Control System Redundancy and Capability."

2. NS-51.2, ANSI /ANS-57.2-1983, Section 6.4.2.2.3, American Nuclear Society, American National Standard,

" Design Requirements for Light Water Reactor Spent Fuel Storage Facilities at Nuclear Power Plants,"

1983.

3. Chapter 15.

4. 52 FR 3788, NRC Interim Policy Statement, on Technical Specification Improvements for Nuclear Power Reactors, February 6, 1987.

(continued)

SYSTEM 80+ B 3.9-4 Rev. 00 16A Tech Spec Bases

Boron Concentration B 3.9.1 p i

'.\

BASES REFERENCES 5. NRC Bulletin No. 89-03, " Potential Loss of Required i (continued) Shutdown Margin During Refueling Operations," November- i 21, 1989.

6. Section 19.8A, Shutdown' Risk Evaluation. I i

1 i

O O

SYSTEM 80+. . B 3.9-5 Rev 00 16A Tech Spec Bases i

Nuclear Instrumentation B 3.9.2 B 3.9 REFUELING OPERATIONS 0-B 3.9.2 Nuclear Instrumentation BASES BACKGROUND The installed Source Range Monitors (SRMs) are used during refueling operations to monitor core reactivity condition and are part of the Nuclear Instrumentation System (NIS).

These detectors are external to the reactor vessel and detect neutrons leaking from the core. The use of portable detectors is permitted, provided the LC0 requirements are met.

The installed SRMs are BF3 detectors operating in the proportional region of the gas-filled detector characteristic curve. They monitor the neutron flux in counts per second (cas) and cover 5 decades of neutron flux (1 to IES cps). Eac1 source range monitor provides visual indication in the control room and an audible alarm to alert operators to a possible dilution accident. The NIS is designed in accordance with the criteria presented in Reference 1. If used, portable detectors should be functionally equivalent to the installed NIS source range monitors.

APPLICABLE Two OPERABLE SRMs are required to provide a signal to alert SAFETY ANALYSIS the operator to changes in core reactivity such as a boron dilution accident or an improperly loaded fuel assembly.

The safety analysis ci the uncontrolled boron dilution accident is described in Reference 2. This analysis shows that the normally available shutdown margin would be reduced, but that there is sufficient time available for the operator to detect and to terminate the event should it occur. Fuel integrity is not challenged during this event.

The SRMs satisfy Criterion 3 of the NRC Policy Statement.

LC0 This LCO requires two OPERABLE SRMs with visual indication in the control room to ensure that redundant monitoring capability is available to detect changes in core l reactivity. l l

O (continued)

SYSTEM 80+ B 3.9-6 Rev. 00 ,

16A Tech Spec Bases )

l

Nuclear Instrumentation B 3.9.2 U,n BASES (continued)

APPLICABILITY In MODE 6 the SRMs must be OPERABLE to determine changes in core reactivity. No other direct means are available to i check core reactivity levels.

ACTIONS A.1 and A.2 With one SRM inoperable, redundancy has been lost. Since .

these instruments provide the only direct means of !

monitoring core reactivity conditions, CORE ALTERATIONS and j positive reactivity additions must be suspended immediately. 1 Performance of Required Action A.1 shall not preclude completion of actions to establish a safe condition.

i IL1 With two SRM inoperable, actions to restore a monitor to l OPERABLE status shall be initiated immediately. Once initiated, actions shall be continued until a SRM is restored to OPERABLE status, ib2 With no SRM OPERABLE, there is no direct means of detecting changes in core reactivity. Since CORE ALTERATIONS and positive reactivity additions are not to be made, the core reactivity condition is stabilized until the SRMs are OPERABLE.

Performing SR 3.9.1.1 verifies that the required boron concentration exists. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time quickly verifies the boron concentration of the reactor coolant. '

The Frequency of once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that unplanned changes in boron concentration would be identified. The 12-hour Frequency is reasonable considering the low probability of a change in core reactivity during this time period.

4 1

(continued)

SYSTEM 80+ B 3.9-7 Rev. 00 16A' Tech Spec Bases

Nuclear Instrumentation B 3.9.2 BASES (continued)

SURVEILLANCE SR 3.9.2.1 REQUIREMENTS SR 3.9.2.1 is the performance of a CHANNEL CHECK, which is the comparison between channels of the indicated parameter values for each of the functions. It is based on the assumption that the two indication channels should be consistent with core conditions. Changes in fuel loading and core geometry can result in significant differences between source range channels but each channel should be consistent with its local conditions. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is based on the importance of the SRMs. The Frequency is consistent with LC0 3.3.5, " Engineered Safety Features Actuation System (ESFAS) Instrumentation" and has been proven acceptable through operating experience.

SR 3.9.2.2 SR 3.9.2.2 is the performance of a CHANNEL CALIBRATION every 18 months. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. &

The CHANNEL CALIBRATION for the SRMs consists of obtaining W the detector plateau or preamp discriminator curves, evaluating those curves, and comparing the curves to the manufacturer's data. The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage. Operating experience has shown that these components usually pass the Surveillance when performed on the 18 month Frequency.

l l

REFERENCES 1. 10 CFR 50, Appendix A, GDC 26.

1

2. Chapter 15. !

O SYSTEM 80+ B 3.9-8 Rev. 00 16A Tech Spec Bases

l l-Containment Penetrations f.% B 3.9.3

-B 3.9' REFUELING OPERATIONS ~ l i

B 3.9.3 Containment-Penetrations l f

BASES ;

t

?

BACKGROUND During CORE ALTERATIONS or movement of irradiated fuel !

assemblies within containment, a release of fission product. l radioactivity within the containment will be restricted from !

leakage to the environment when the LCO requirements are f met. In MODES 1, 2, 3 and 4 this is accomplished by i maintaining containment OPERABLE as described in LCO 3.6.1 i

" Containment". In MODE 6 the potential for containment pressurization as a result of an accident is not present, ;

therefore, less stringent requirements are needed to isolate i the containment from the outside atmosphere. The LCO !

requirements are referred to as " containment closure" rather than " containment OPERABILITY." Containment closure means that all potential escape paths are closed or capable of :

being closed. Since there is no potential for containment !

pressurization, the Appendix J 1eakage criteria and tests !

are not required.

The containment structare serves to contain fission product ,

radioactivity which may be released from the reactor core 1 following a Design Basis Accident (DBA), such that offsite radiation exposures are maintained within the requirements i of 10 CFR 100. Additionally, this structure provides radiation shielding from the fission products which may be present in the containment atmosphere following accident conditions.

The containment equipment hatch, which is part of the containment pressure boundary, provides a means for moving large equipment and components into and out of. containment.

During CORE ALTERATIONS or movement of irradiated fuel assemblies within containment, the equipment hatch must be held in place by at least [4] bolts. Good engineering practice dictates that these four bolts be approximately equally spaced.

The containment air locks, which are.also part of the containment pressure boundary, provide a means for personnel access during plant operation. Each air lock has a door at both ends. The doors are normally interlocked to prevent i simultaneous opening when containment closure is required.

? -

(continued)

SYSTEM 80+ . B 3.9-9 Rev. 00 ,

16A Tech Spec Bases- l l

l

-- . , _ _ _ _ _ _ _ . _ _ _ _ __u

Containment Penetrations B 3.9.3 O

BASES BACKGROUND During periods of unit shutdown when containment closure is (continued) not required, the door interlock mechanism may be disabled, allowing both doors of an airlock to remain open for extended periods when frequent containment entry is necessary. During CORE ALTERATIONS or movement of irradiated fuel assemblies within containment, containment closure is required; therefore the door interlock mechanism may remain disabled, but one air lock door must remain closed.

Tte req W ements on containment penetration closure ensure that a release of fission product radioactivity within containment will be restricted from leaking to the environment. The closure restrictions are sufficient to restrict fission product radioactivity release from containment due to a fuel handling accident during refueling.

The Containment Purge System includes two subsystems. The high volume purge subsystem includes 2 [24] inch purge penetrations and 2 [24] inch exhaust penetrations. The low volume purge subsystem includes a [6] inch purge penetration and a [6] inch exhaust penetration. During MODES 1, 2, 3, and 4, the two valves in each of the high volume purge and exhaust penetrations are secured in the closed position.

The two valves in each of the two low volume purge penetrations can be opened intermittently, but are closed automatically by the Engineered Safety Features Actuation System (ESFAS). Neither of the subsystems is subject to a Specification in MODE 5.

In MODE 6, large air exchanges are necessary to conduct refueling operations. The high volume purge system is used for this purpose and all valves are closed by the ESFAS in l accordance with LC0 3.3.5, " Engineered Safety Feature !

Actuation System (ESFAS) Instrumentation." l l

[The low volume purge system remains operational in MODE 6 l and all four valves are also closed by the ESFAS.

1 or The low volume purge system is not used in MODE 6. All four

[6] inch valves are secured in the closed position.]

l (continued)

SYSTEM 80+ B 3.9-10 Rev. 00 16A Tech Spec Bases

Containment Penetrations B 3.9.3 BASES BACKGROUND The other containment penetrations that provide direct (continued) access from containment atmosphere to outside atmosphere must be isolated on at least one side. Isolation may be ,

achieved by an OPERABLE automatic isolation valve, or by a i manual isolation valve, blind flange, or equivalent. ;

Equivalent isolation methods must be approved and may l include use of a material that can provide a temporary, atmospheric pressure ventilation barrier for the other containment penetrations during fuel movements (Ref. 2). l APPLICABLE During CORE ALTERATIONS or movement of irradiated fuel

. SAFETY ANALYSIS assemblies within containment, the most severe radiological i consequences result from a fuel handling accident. The fuel i handling accident is a Condition IV postulated event which ;

involves damage to irradiated fuel (Ref. 3). Fuel handling [

accidents, analyzed in Section 15.7.3.4, include dropping a single fuel assembly and handling tool or a heavy object onto other irradiated fuel assemblies (Ref. 4). The i requirements of this LCO and LC0 3.9.6, " Refueling Water O Level", and the minimum decay time of [72] hours prior to CORE ALTERATIONS ensure that the release of fission product l

i radioactivity subsequent to a fuel handling accident does <

not result in doses in excess the guideline values specified in 10 CFR 100 and Standard Review Plan Section 15.7.4, Rev. ,

I (Ref. 3). l Containment penetrations satisfy Criterion 3 of the NRC Policy Statement. ;

i LCO This LCO limits the consequences of a fuel handling accident in containment by limiting the potential escape paths for fission product radioactivity released within containment.

The LCO requires any penetration providing direct access from the containment atmosphere to the outside atmosphere to be closed except for the OPERABLE containment purge and exhaust penetrations.

For the OPERABLE containment purge penetrations, this LC0 ensures that these penetrations are isolable by the Containment Isolation Actuation Signal. The OPERABILITY requirements for this LCO ensure that the automatic purge l

d (continued) l l

SYSTEM 80+ B 3.9-11 Rev. 00 I 16A. Tech Spec Bases i

i Containment Penetrations B 3.9.3

\

BASES 1

LC0 and exhaust valve closure times specified in Chapter 15 can l (continued) be achieved and therefore meet the assumptions used in the safety analysis to ensure releases through the valves are terminated, such that the radiological doses are within the acceptance limit.

APPLICABILITY The containment penetration requirements are applicable during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment since this is when there is a potential for a fuel handling accident. In MODES 1, 2, 3 and 4, Containment Penetration requirements are addressed by LC0 3.6.1, " Containment". In MODES 5 and 6 when CORE ALTERATIONS or movement of irradiated fuel assemblies within containment are not being conducted, the potential for a fuel handling accident does not exist. Therefore, under these conditions no requirements are placed on containment penetration status.

ACTIONS a.1 and A.2 O

With the containment equipment hatch, air locks, or any containment penetration providing direct access from the containment atmosphere to the outside atmosphere not in the required status, including the Containment Purge and Exhaust system not capable of automatic actuation when the purge and exhaust valves are open, the unit must be placed in a condition where the isolation function is not needed. This is accomplished by immediately suspending CORE ALTERATIONS and movement of irradiated fuel assemblies within containment. Performance of Required Actions A.1 or A.2 shall not preclude completion of actions to establish a safe condition.

SURVEILLANCE SR 3.9.3.1 REQUIREMENTS This SR verifies that each of the containment penetrations required to be in its closed position is in that position or is capable of being closed by an OPERABLE automatic Containment Isolation Actuation Signal. As such, this (continued)

SYSTEM 80+ B 3.9-12 Rev. 00 16A Tech Spec Bases

Containment Penetrations !

B 3.9.3 l O i 4 BASES l r

SURVEILLANCE SR 3.9.3.1 (continued) l i

. REQUIREMENTS-Surveillance' ensures that a postulated fuel handling' ;

< accident which involves a release of fission product . j radioactivity within the 3stainment will not result in_a. :

release of fission product radicactivity to the environment. j The SR is performed every 7 days during CORE ALTERATIONS or l movement of irradiated fuel assemblies within containment.. :

The Surveillance interval is-based on the.importance of i these penetrations to restrict the release of fission ,

product radioactivity to the environment and has been shown !

to be acceptable through operating experience.

1 ;

~

SR 3.9.3.2

. This SR demonstrates each containment purge and exhaust <

valve actuates to its isolation position on an actual or l

. simulated actuation signal. The [18 month] Frequency l maintains consistency with similar ESFAS testing i j

requirements and has been shown to be acceptable through

- operating experience. !

1 I

REFERENCES 1. 10 CFR 20, Standards For Protection Against Radiation.

l

2. "Use of Silicone Sealant to Maintain Containment l Integrity - ITS", GPU Nuclear Safety Evaluation SE- ~

0002000-001, Rev. 0, May 20, 1988.

3. NUREG-0800, Standard Review Plan Section 15.7.4, Radiological Consequences of Fuel Handling Accidents, Rev. 1, July 1981. ,

l

4. Chapter 15. 1

~

i 2

i i !

O 1

~

' SYSTEM 80+' B 3.9-13 Rev. 00 j 16A Tech Spec Bases !

SCS and Coolant Circulation - High Water Level B 3.9 REFUELING OPERATIONS B 3.9.4 Shutdown Cooling System (SCS) and Coolant Circulation - High Water Level BASES BACKGROUND The main purposes of the Shutdown Cooling System (SCS) are to remove decay heat and sensible heat from the Reactor Coolant System (RCS) when RCS pressure and temper?ture are below approximately 350 psig and 350 F, respectively (Ref.

1), to provide sufficient coolant circulation to minimize the effects of a boron dilution accident, and to prevent boron stratification. Heat is transferred from the RCS by circulating reactor coolant through the SCS where the heat is transferred to the Component Cooling Water (CCW) System via the SCS heat exchangers.

In the decay heat removal mode of operation, each loop of the SCS takes suction from one of the RCS hot legs. Flow from the SCS pumps is discharged through its respective heat exchanger or bypass, and is returned to the RCS via the RCS cold legs. This arrangement provides two redundant SCS divisions. Operation of the SCS for normal cooldown or decay heat removal is manually accomplished from the control room, l

l APPLICABLE If the reactor coolant temperature is not maintained below SAFETY ANALYSES 200 F, boiling of the reactor coolant could result. This l could lead to inadequate cooling of the reactor fuel due to '

a resulting loss of coolant in the reactor vessel.

Additionally, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to the baron plating out on components near the areas of the boiling activity, and because of the possible addition of water to the reactor vessel with a lower boron concentration ,

than is required to keep the reactor subcritical. The loss of reactor coolant and the reduction of boron concentration in the reactor coolant would eventually challenge the integrity of the fuel cladding, which is a fission product barrier. One division of the SCS is required to be operational in MODE 6, with the water level a 23 ft above the top of the reactor vessel flange, to prevent this challenge. The LC0 does permit de-energizing of the SCS (continued)

SYSTEM 80+ B 3.9-14 Rev. 00 16A Tech Spec Bases

J t i

SCS and Coolant Circulation - High Water Level n B 3.9.4 U

BASES APPLICABLE pump for short durations under the condition that the boron SAFETY-ANALYSES concentration is not diluted. This conditional de-(continued) energizing of the SCS pump does not result in a challenge to '

the fission product barrier.

Shutdown Cooling System and Coolant Circulation - High Water Level satisfies Criterion 2 the NRC Policy Statement.

LCO. Only one SCS division is requi ed for decay heat removal. in MODE 6 with water lavel a 23 feet above the top of the reactor vessel flange. Only one SCS division is required because the volume of water above the reactor vessel flange i provides backup decay heat capability. At least one SCS division must be OPERABLE and in operation to: i

a. Provide for decay heat removal;

, b. Provide mixing of borated coolant to minimize the ,

possibility of a criticality; and

c. Provide indication of average reactor coolant temperature.

An OPERABLE division consists of an SCS pump, a heat exchanger, valve, piping, instruments, and controls to ensure an OPERABLE flow path and to determine the low end temperature. l The requirements of this LC0 are derived primarily from experience with decay heat removal in shutdown modes of operation. The principal purpose of this specification is to assure the capability to remove decay heat and to control RCS temperature and chemistry.

The LCO is modified by a Note which allows the operating SCS division to be removed from service for up to one hour per

[8] hour period provided no operation that would cause dilution of the RCS boron concentration is in progress. '

This permits operations such as core mapping or alterations in the vicinity of the reactor vessel hot leg nozzles and RCS to SCS isolation valve testing. During this one-hour period, decay heat is removed by natural convection to the large mass of water in the refueling cavity.

w/

(continued)

SYSTEM 80r B 3.9-15 Rev. 00 16A Tech Spec Bases

1 SCS and Coolant Circulation - High Water Level B 3.9.4 9li BASES (continued)

APPLICABILITY One !CS division must be OPERABLE and in operation in MODE 6 with the water level a 23 feet above the top of the reactor vessel flange to provide decay heat removal. The 23 foot value was selected because it corresponds to the requirement for fuel movement established by LC0 3.9.6, " Refueling Water Level". Requirements for the SCS in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System.

SCS division requirements in MODE 6 when water level is < 23 feet are located in LC0 3.9.5, "SCS and Coolant Circulation

- Low Water Level".

SCS division requirements in REDUCED RCS INVENTORY are addressed in LC0 3.4.8, "RCS Loops - MODE 5 (Loops Not Filled)".

ACTIONS SCS division requirements are met by having one SCS division OPERABLE and in operation except as permitted in the Note to the LCO.

u I

If SCS division requirements are not met, there will be no forced circulation to provide mixing to establish uniform !

boron concentrations. Reduced boron concentrations can occur by the addition of water with lower boron concentration than that contained in the RCS. Therefore, actions which reduce boron concentration shall be suspended immediately. )

M If SCS division requirements are not met, actions shall be taken immediately to suspend loading irradiated fuel assemblies in the core. With no forced circulation cooling, decay heat removal from the core occurs by natural ;

convection to the heat sink provided by the water above the l core. A minimum refueling water level of 23 feet above the

' reactor vessel flange provides an adequate available heat sink. Suspending any operation which would increase decay !

heat load, such as loading a fuel assembly, is a prudent action under this condition. ,

)

(continued)

SYSTEM 80+ B 3.9-16 Rev. 00 1 16A Tech Spec Bases i

_ _ _ . - . . . _ ~.

l SCS and Coolant Circulation - High Water Level !

B 3.9.4

.( ,

BASES ACTIONS 8.1 (continued) l If SCS division requirements.are-not met, immediate actions shall be taken and continued to satisfy the SCS division :

requirements. With the unit in MODE 6 and the refueling cavity water level 2 23 feet above the top of the reactor vessel flange, the completion time of immediate ensures that prompt action is taken to meet the necessary SCS division cooling requirements. ,

i k

A.4 If SCS division requirements are not met, all containment i penetrations to the outside atmosphere must be closed to !

prevent fission products, if released by a loss of decay heat event, from escaping the containment. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time provides ample opportunity to fix SCS -

problems without incurring the additional action of violating the containment atmosphere.

SURVEILLANCE SR 3.9.4.1 REQUIREMENTS This Surveillance verifies that the SCS division is operating and circulating reactor coolant. The flow rate is determined by the flow rate necessary to provide sufficient

, decay heat removal capability and to prevent thermal and boron stratification in the core. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is sufficient considering the flow, temperature, pump control, and alarm indications available to the operator to monitor the SCS in the control room. This Frequency ensures that SCS division operation and flow is checked at adequate intervals.

REFERENCES 1. Chapter 5.

2._ Chapter 15.

O (continued)

SYSTEM 80+ B 3.9-17 Rev. 00 16A: Tech Spec Bases

SCS and Coolant Circulation - High Water Level i BASES B 3.9.4 9l REFERENCES 3. "NRC Staff Review of Nuclear Steam Supply Vendor (continued) Owners Groups' Application of the Commission's Interim Policy Statement Criteria to Standard Technical Specifications," transmitted by Thomas E. Murley (NRC) letter to Joseph K. Gasper (CEOG) dated May 9, 1988.

4. 52 FR 3788, NRC Interim Policy Statement, on Technical Specification Improvements for Nuclear Power Reactors, February 6, 1987.

5. Section 19.8A, Shutdown Risk Evaluation.

l l

l I

eli 1

1 i

e i SYSTEM 80+ B 3.9-18 Rev. 00 16A Tech Spec Bases

2 SCS and Coolant Circulation - Low Water Level B 3.9.5

<A s B 3.9 REFUELING OPERATIONS B 3.9.5 Shutdown Cooling System (SCS)-and Coolant Circulation - Low Water .

Level 1 .

1 BASES I J

l i- _ BACKGROUND The Background section for Bases' B 3.9.4 is applicable to this Bases.. !

g ,

4 .

]

4 APPLICABLE If the reactor coalant temperature is not maintained below i SAFETY ANALYSES 200'F, boiling of the reactor coolant could result. This :

could lead to inadequate cooling of the. reactor fuel due to >

the resulting loss of coolant in the reactor vessel. ;

Additionally, boiling of the reactor coolant could lead to a j reduction in boron concentration in the coolant due to the i baron plating out on componenets near the areas of the

boiling activity, and because of the possible addition of water to the reactor vessel with a lower boron concentration than is required to keep the reactor subcritical. The loss of reactor coolant and the reduction of boron concentration

' in the reactor coolant would eventually challenge the integrity of the fuel cladding, which is a fission product barrier. Two divisions of the SCS System are required to be OPERABLE, and one division is required to be in operation in ,

MODE 6, with the water level < 23 ft above the top of the '

reactor vessel flange, to prevent this challenge.

SCS and Coolant Circulation - Low Water Level satisfies

' Critorion 2 of the NRC Policy Statement.

I LC0 Only one SCS division is needed for decay heat removal in 4 MODE 6 with water level < 23 feet above the top of the reactor vessel flange. To increase reliability, both SCS i divisions must be OPERABLE. Additionally, one division of SCS must be in operation in order to:

a. Provide for decay heat removal; b .' Provide mixing of borated coolant to minimize the

' possibility of a criticality; and O (continued)

SYSTEM 80+. B 3.9-19 Rev. 00

.16A Tech Spec Bases l l

SCS and Coolant Circulation - Low Water Level BASES LCO c. Provide indication of average reactor coolant (continued) temperature.

An OPERABLE SCS division consists of an SCS pump, a heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path and to determine the low end temperature. The flow path starts in one of the RCS hot legs and is returned to the RCS cold legs.

In addition, during REDUCED RCS INVENTORY conditions a Containment Spray pump in the same division as the operating SCS pump is required to be OPERABLE. The Containment Spray pump is interchangable with the SCS pump and provides a backup to the operating SCS pump. This requirement ensures forced circulation is available for decay heat removal if the operating SCS pump becomes inoperable for any reason.

The requirements of this LC0 are derived primarily from experience with decay heat removal in shutdown modes of operation. The principal purpose of this specification is to assure the capability to remove decay heat and to control RCS, temperature, and chemistry with low water level.

APPLICABILITY Two SC5 divisions are required to be OPERABLE and one SCS division must be in operation in MODE 6 with the water < 23 feet above the top of the reactor vessel flange to provide decay heat removal. Requirements for the SCS in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System.

MODE 6 requirements with water level 2 23 feet above the reactor vessel flange are covered in LC0 3.9.4, "SCS and Coolant Circulation - High Water Level".

ACTIONS A.1 and A.2 With one SCS division inoperable and the other SCS division operating, actions shall be taken and continued until the SCS division is restored to OPERABLE status or to establish water level of 2 23 feet above the reactor vessel flange. !

At that point, the Applicability will change to that of LC0 l

(continued)

SYSTEM 80+ B 3.9-20 Rev. 00 16A Tech Spec Bases i

1 SCS and Coolant Circulation - Low Water Level 839s g ,,,,

ACTIONS A.1 and A.2 (continued) 3.9.4, "SCS and Coolant Circulation - High Water Level," and only one SCS division is required to be OPERABLE and in >

operation. With the unit in MODE 6, immediate corrective actions must be taken. ,

M If no SCS division is in operation or no SCS divisions are OPERABLE, there will be no forced circulation to provide !

mixing to establish uniform boron concentrations. Reduced boron concentrations can occur by the addition of water with lower boron concentration than that contained in the RCS.

Therefore, act cria 6 hich reduce boron concentration shall be suspended immed!atd y.

M With no SCS division in operation or with both SCS divisions V]

/

inoperable, actions shall be initiated immediately and continued without ir.terruption '.o restore one SCS division to OPERABLE status and operation. As the unit is in Conditions A and B concurrently, the restors., ion of two OPERABLE SCS divisions and one operating SCS division should be accomplished as quickly as possible. With at least one SCS division operable, water level can be raised a 23 feet above the reactor vessel flange and the applicability will change to that of LC0 3.9.4, "SCS and Coolant Circulation -

High Water Level," and only one SCS division is required.

M If no SCS division is in operation or no SCS divisions are OPERABLE and the plant is in REDUCED RCS INVENTORY conditions the action requires to immediately initiate action to nise RCS level to > [EL 117'.0"). The immediate Completica lime reflects the importance of maintaining operation for decay heat removal and prevent a boron dilution event.

(continued)

SYSTEM 80+ B 3.9-21 Rev. 00 16A Tech Spec Bases

I SCS and Coolant Circulation - Low Water Level B 3.9.5 BASES O

ACTIONS C.I. C.2. and C.3 (continued)

If the Containment Spray pump in the operating SCS division is inoperable, action must be initiated to place the alternate division in operation (if the Containment Spray pump in the alternate division is OPERABLE) immediately.

Also, SCS performance must be monitored [every 30 minutes]

and the inoperable Containment Spray pump must be restored to OPERABLE condition within [48 hours].

D.d If the Containment Spray pump cannot be restored within [48 hours], RCS level must be raised to > [EL.117'0"] within [6 hours). This will place the plant in a conservative position with respect to providing decay heat removal.

SURVEILLANCE SR 3.9.5.1 REQUIREMENTS This Surveillance verifies that the SCS division is operating and circulating reactor coolant. The flow rate is determined by the flow rate necessary to provide sufficient decay heat removal and to prevent thermal and boron stratification in the core.

In addition, during operation of the SCS division with the water level in the vicinity of the reactor vessel nozzles, the SCS division flow rate determination must also consider the SCS pump suction requirements. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is sufficient considering the flow, temperature, pump control, and alarm indications available to the operator to monitor the SCS system in the control room. This Frequency ensures that flow is checked and temperature monitored at adequate intervals.

Verification that the required divisions are OPERABLE and in operation ensures that divisions can be placed in operation as needed, to maintain decay heat and retain forced circulation. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is considered reasonable, since other administrative controls are available and have proven to be acceptable by operating experience.

(continued)

SYSTEM 80+ B 3.9-22 Rev. 00 16A Tech Spec Bases

SCS and Coolant Circulation - Low Water Level B 3.9.5 BASES SURVEILLANCE SR 3.9.5.2 REQUIREMENTS (continued) Verification is performed by ensuring correct breaker alignment and indicated power available to the required pumps. The Frequency of seven days is considered reasonable in view of other administrative controls available and has been shown to be acceptable by operating experience.

SB 3.9.5.3 Verification of the correct breaker alignment and indicated power available to the operable CS pump ensures that the CS pump will be able to remove heat from the RCS in the event of a power failure to the operating SCS division. The i frequency of [24 hours] is based on operating experience. j REFERENCES 1. Chapter 5.

O 2. Chapter 15.

U 3. "NRC Staff Review of Nuclear Steam Supply Vendor Owners Groups' Application of the Commission's Interim Policy Statement Criteria to Standard Technical Specifications," transmitted by Thomas E. Murley (NRC) letter to Joseph K. Gasper (CE0G) dated May 9, 1988. l

4. 52 FR 3788, NRC Interim Policy Statement, on Technical Specification Improvements for Nuclear Power Reactors.

February 6, 1987.

5. Section 19.8A, Shutdown Risk Evaluation.

i

^O l (V 4 SYS'.FM 80+ B 3.9-23 Rev. 00 4 16A 1,,:h Spec Bases i

Refueling Water Level B 3.9 REFUELING OPERATIONS B 3.9.6 Refueling Water Level BASES

=__

BACKGROUND Requirements on water level in the containment, the refueling cavity, the refueling canal, the fuel transfer canal, and the spent fuel pool during refueling ensure that sufficient water depth is available to remove 99% of the iodine gap activity released by the postulated rupture of an irradiated fuel assembly in containment (Ref.1). The fuel pellet to cladding gap is assumed to contain 5% of the total fuel rod iodine inventory. The movement of irradiated fuel assemblies within containment requires a minimum water level of 23 feet above the top of the reactor vessel flange which assures offsite doses remain < 25% of the 10 CFR 100 limits as required in Reference 5.

APPLICABLE During CORE ALTERATIONS and during movement of irradiated "

SAFETY ANALYSES fuel assemblies, the water level in the refueling cavity and refueling canal is an initial condition design parameter in the analysis of the fuel handling accident in containment postulated by NRC Regulatory Guide 1.25 (Ref.1). A minimum water level of 23 feet (Regulatory Position C.I.c of Ref.1) allows a decontamination factor of 100 (Regulatory Position C.I.g of Ref.1) to be used in the accident analysis for iodine. This relates to the assumption that 99% of the total iodine released from the pellet to cladding gap of all the dropped fuel assembly rods is retained by the refueling cavity water. The fuel pellet to cladding gap is assumed to contain 5% of the total fuel rod iodine inventory (Ref.

1).

The fuel handling accident analysis inside containment is i described in Reference 2. With a minimum water level of 23 feet and a minimum decay time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months prior to fuel handling, the analysis and test programs demonstrate that the iodine release due to a postulated fuel handling accident is adequately captured by the water and offsite doses are maintained within allowable limits (Ref. 4).

Refueling water level satisfies Criterion 2 of the NRC Policy Statement.

O (continued)

SYSTEM 80+ B 3.9-24 Rev. 00 16A Tech Spec Bases

l

)

l Refueling Water Level l

-g B 3.9.6 j

) l BASES (continued)

LCO A minimum refueling water level of 23 feet above the reactor vessel flange is required to ensure that the radiological consequences of a postulated fuel handling accident inside containment are within acceptable limits.

APPLICABILITY LCO 3.9.6 is applicable during CORE ALTERATIONS, except during latching and unlatching of control rod drive shafts, and when moving irradiated fuel assemblies within containment. The LCO minimizes the possibility of a fuel handling accident in containment that is beyond the assumptions of the safety analysis. If irradiated fuel is not present in containment, there can be no significant radioactivity release as a result of a postulated fuel handling accident.

ACTIONS A.] and A.2 With a water level of less than 23 feet above the top of the reactor vessel flange, all CORE ALTERATIONS and operations involving movement of irradiated fuel assemblies shall be suspended immediately to ensure a fuel handling accident

' cannot occur. The suspension of fuel movement shall not preclude completion of movement to a safe position.

1 AJ In addition to immediately suspending CORE ALTERATIONS or movement of irradiated fuel, actions to restore refueling cavity water level must be initiated immediately.

SURVEILLANCE 3R 3.9.6.1 REQUIREMENTS Verification of a minimum water level of 23 feet above the top of the reactor vessel flange ensures that the design basis for the postulated fuel handling accident analysis during refueling operations is met. Water at the required level above the top of the reactor vessel flange, mitigates >

(continued)

SYSTEM 80+ B 3.9-25 Rev. 00 '

-16A Tech Spec Bases !

I

Refueling Water Levc B 3.9.6 O

BASES SURVEILLANCE SR 3.9.6.1 (continued)

REQUIREMENTS the consequences of a postulated fuel handling accident inside containment which results in damaged fuel rods (Ref.

2).

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency ensures that the water is at the required level and is considered adequate due to the large volume of water and the normal procedural controls of valve positions, significant unplanned level changes are unlikely.

REFERENCES 1. USNRC Regulatory Guide 1.25, Assumptions Used for Evaluating the Potential Radiological Consequences of a Fuel Handling and Storage Facility for Boiling and Pressurized Water Reactors, March, 1982.

2. Chapter 15.

3. 52 FR 3788, " Proposed Policy Statement on Technical Specifications Improvements for Nuclear Power Plants",

February 6, 1987.

4. 10 CFR 100.11, " Determination of Exclusion Area, Low Population Zone and Population Center Distance."

5. NUREG-0800, " Standard Review Plan", Section 15.7.4 Radiological Consequences of Fuel Handling Accidents, U.S. Nuclear Regulatory Commission.

O SYSTEM 80+ B 3.9-26 Rev. 00 16A Tech Spec Bases

-. - .-. . - . - - . - - . . . = _ -

l l

1 System 80+ Desfon ConVolDocument j l

O sirective rage Listing Chapter 17 ,

l 1

1 Pages Date :

i, ii 1/97 iii, iv Original

)

17.1-1, ~ 17.1-2 Original l I

i 17.2 Original l 4

17.3-1 1/97 17.3-2 through 17.3-5 Original 17.3-6 1/97

17.3 7,8 Original 17.3-9, 17.3-10 2/95 17.3-11 through 17.3-15 Original 17.3-16 2/95 17.3-17 through 17.3-29 Original

- O.

4 O l i

=-= w m.m u o na n r.o. u

Sy* tem 80+ oesign controlDocument (n)

.%J Chapter 17 Contents Page 17.0 Quality Assurance Program . . . . . . . . .......................... 17.1-1 17.1 Quality Assurance During the Design Phase . . . . . . . . . . . . . . . ........ 17.1-1 17.1.1 Verification Process for Design Basis Events . . . . . . . . . . . . . . . . . . . . . ... 17.1-1 17.2 Quality Assurance During the Operations Phase ..................... 17.2-1 17.3 Reliability Assurance Program During the Design Phase . . . . . . . . . . . . . . . . I7.3-1 17.3.1 Introduction . . . . . .... ....... ....................... .. 17.3-1 17.3.2 Scope ........... ... ...... ............. .... ... ... 17.3-1 17.3.3 Purpose . . . . . . . ........... .......... ........... . . 17.3-1 17.3.4 Objective . . . . ........ ..... ............ ............. 17.3-2 17.3.5 ABB-CE Organization for D-RAP . . . . . . . . . . . . .... .......... ... 17.3-2 17.3.6 SSC Identification /Prioritization . . . . . . . . . . . . . . . . ......... ...... 17.3-3 17.3.7 Design Considerations . . . . . . . . . . . . . . . . . . . . .. ..... ....... 17.3-6 17.3.8 Defining Failure Modes . . . . . . . . . . . ................. .. ..... 17.3-7 17.3.9 Operations Reliability Assurance Activities . . . . . . . . . . . . . . . . . . . . .. 17.3-7 17.3.10 Operations Reliability Assurance Process ........................... 17.3-8 17.3.11 D-RAP Implementation ..... ..... ......... ...... ... ... 17.3-9 17.3.12 Glossary of Terms and Acronyms . . . ......................... 17.3-11 g 17.3-11

("j 17.3.13 COL Information . . . . . . . ........... ...... ... ........

17.3.14 References ..... ... ... ........... .... ....... ... . 17.3-12

)

i l

Chapter 17 Tables l Page 17.3-1 Example of Component importance for an ALWR for Internal Event.s . ..... 17.3-13 17.3-2 Example of Risk-Significant Ranking of SSCS for the CCWS Train 1. . . . . ... 17.3-16 17.3-3 Example of CCWS Failure Modes & Operations Reliability Assurance Process !

Activities . . . .. ... ....... . .......... ............. 17.3-18 17.3-4 Reference Locations Where D-RAP Systems and Equipment are Specified . . ... 17.3-19 l

.1 s

J l w w u.s w a w am e,,, a J

Syotem 80+ Design ControlDocument j Chapter 17 Figures g '

Page 17.3-1 Example of System 80+ Design Functional Project Organization . .... . 17.3-20 l 17.3-2 Design Evaluation for SSCs . ... .. .. ... . ..... 17.3-21 17.3-3 Process for Determining Dominant Failure Modes . . . . . . ...... ... 17.3-22 :

17.3-4 Use of Failure History to Define Failure Modes . . . . .. . ... . ... . 17.3-23 17.3-5 Analytical Assessment to Define Failure Modes . . .. . . .... 17.3-24 17.3-6 Inclusion of Maintenance Requirements in the Definition of Failure Modes .... 17.3-25 17.3-7 Identification of Risk-Significant SSC Operations Reliability Assurance Process Activities . . . . . . .. .. .. .... . .. .. .. . . 17.3-26 17.3-8 Example of Early CCWS Design . .. . . . .. .. . . 17.3-27 17.3-9 Example of Improved CCWS Design . . . .. 17.3-28 17.3-10 Example of Fault Tree for CCWS Train 1 . ... . . . . 17.3-29 O

O Approved Design Material . QA Proyrem l' age iv

Sysiam 80+ ossion ceneret oocenent ;

17.0 - Quality Assurance Program i

17.1 Quality Assurance During the Design Phase l 3

. Th: ABB-CE Quality Assurance Program is described in the topical report CENPD-210-A, " Quality

Assurance Program." The list of specific equipment covered by this program is contained in Table 3.2-1. ,

in regard to Three Mile Island (TMI)-2 Item I.F.2, one part of subpan 3, (inclusion of QA personnel in design activities) is covered by the quality assurance program for the System 80+" M design, described

in CENPD-210-A. j i

((The COL Applicant will devuop and implement a construction QA program (COL Item 17-1). This .

will include the site-specific information to address the issues in TMI Action Plan Item II.J.3.1.))l ;

17.1.1 Verincation Process for Design Basis Events

' The goal of the Design Certification Program is cenification of the System 80+ Standard Plant design ,

by the Nuclear Regulatory Commission under Part 52 of the Code of Federal Regulations.

, i i

The starting point for the System 80+ Design Certification program was the System 80 design as represented by CESSAR-F (which holds a Final Design Approval from the NRC in conformance with

. existing regulations) and the Duke Power Company's Cherokee and Perkins (P-81) balance-of-plant (BOP) ;

design. A full complement of final design detail is available for the System 80 Nuclear Steam Supply. :

4 System (NSSS) and for CESSAR-F. The P-81 BOP design progressed to the PSAR stage and was awarded a Construction Permit by the NRC before the project was canceled. l Certain analyses of design bases events included in this Approved Design Material (ADM) are not intended to be repeated by the COL applicant. Accordingly, such non-repetitive safety analyses have been subjected to design verification prior to an award of a contract. The traditional design verification process for a nuclear power plant, consistent with the requirements of NQA-1, is finished after the detailed design. However, in the design certification process, since a portion of the detailed design is ,

yet to be completed, the design verification process cannot follow this sequence. In order to address the design verification needs for a Certified Design, the scope of the ABB-CE design verification process used for the System 80+ Standard Plant covers all the non-repetitive safety analyses. Specifically, these non-repetitive safety analyses include all the design basis event analyses presented in Chapters 5, 6, and l 15; analyses that set safety-related design parameters, including those described in the Certified Design Material (CDM); and an Appendix 6B analysis performed to verify the System 80+ capability to safely handle a hypothetical small break LOCA-boron dilution event. In addition, the work performed outside the traditional NSSS design has been verified.

By defk.ition, the design verification for detailed engineering which falls outside this scope will be finished after the detailed engineering is completed. Even without completing detailed engineering, the System 80+ design certification process provides a high degree of assurance that the design will not '

violate the bases for certification. This is because the System 80+ design is an evolutionary design and is based directly on the System 80 Final Design Approval (FDA), the P-81 BOP, the experience of

. operating plants, as well as the ABB-CE Korean System 80 designs which are under construction in the i

System 80+ is a trademark of Combustion Engineering, Inc.

8 COL information item, see DCD Introduction Section 3.2.

Newesent Doetr bande!~ GA Prevent rose rr.r.r

3 System 80+ Desi.gn ControlDocument Republic of Korea. Detailed engineering and design verification have, of course, been completed for these designs. Many major components in the System 80+ design (Reactor Vessel, Fuel, Reactor Coolant Pumps) are of the same basic design as System 80.

Other systems and components such as Steam Generators, Pressurizer, and Engineered Safety Features (e.g., Emergency Feedwater and Safety injection Systems) have changed only slightly from the System 80 design. Some systems not in System 80, but in the System 80+ design (e.g., the Safety Depressurization System), are in the ABB-CE Korean System 80 designs.

The ABB-CE design venfication of the System 80+ Certified Design consists of three basic steps. These are:

1) the use of Certified Computer Codes and base decks for all non-repetitive analyses (including limiting and non-limiting events);

2) the verification of base deck input for (a) generic base decks and (b) specific base decks' variation used for limiting events and those that establish safety design settings; and

3) the verification that the limiting conditions (e.g., worst break size in a LOCA) are correct. For non-limiting analyses, the advantages of the evolutionary design and the experience from prior designs has been utilized in the verification process. For these cases the verification consisted of verifying the base decks followed by comparison of the System 80+ results with the System 80 results, which were previously verified. The comparison made adjustments for known parameter differences.

The design verification process described above, responds to the unique requirements of a Certified Design Process while still meeting the requirements of the ABB-CE Design Verification Procedures which are compliant with the NRC-approved QA Program described in Topical Report, CENPD-210A.

In addition, to provide added assurance that the System 80+ design information is correct and appropriate for intended purposes, the following has been done:

1) Multidisciplinary reviews (Integrated Reviews) were conducted throughout design development by teams appointed by Project Management, and

2) design information provided to the NRC has been reviewed for consistency among relevant ADM chapters and among other referenced documents.

O Approved Design Monerial- QA Program Pope 17.1-2

1 System 80+ Deslan ControlDocument ,

(d 17.2 Quality Assurance During the Operations Phase ;

((The COL Applicant will develop and implement an operation QA program (COL Item 17-1). This will include the site-specific information to address the issues in TMI Action Plan Items I.F.2 and II.J.3.1.))3

]. t i

)

i a

Os

'b '

4 4

F 1

i O

'8 COL information i:em; see DCD Introduction Section 3.2.

4 9 " M W ****" W M henrem rape 17.2 1

i System 80+ . mien coneerDocument i

17.3 Reliability Assurance Program During the Design Phase

. This section presents the System 80+ Design Reliability Assurance Program (D-RAP).

17.3.1 Introduction )

The System 80+ Design Reliability Assurance Program (D-RAP) is a' program that will be performed

- by the designers during detailed design and specific equipment specification phases to assure that the important System 80+ reliability assumptions of the Probabilistic Risk Assessment (PRA) will be identified and considered throughout the plant life. The PRA evaluates the plant response to initiating events to assure that plant damage has a very low probability and risk to the public is very low. The .

PRA also evaluates improvements in overall plant safety relative to previous designs, and identifi_ es the relative risk significance of the plant's structures, systems and components (SSCs). Input to the PRA includes details of the plant design and assumptions about the reliability of the plant risk-significant SSCs.

((The plant owner / operator will complete the site specific D-RAP and will have an operations reliability ]

assurance process. The COL applicant / holder should incorporate the operational reliability assurance {

' process objectives into existing programs (e.g., quality assurance or maintenance) that will monitor

- equipment performance to provide reasonable assurance that the plant is operated and maintained with an acceptably low risk commensurate with PRA assumptions (COL Items 17-2,17-3).))3 l The D-RAP will include the design evaluation of the System 80+. It will identify relevant aspects of plant operation, maintenance, and performance monitoring of important plant SSCs for owner / operator consid(ration in assuring safety of the equipment, maintenance of critical functions, and limited risk to the public. The policy and implementation procedures will be specified by the owner / operator (See O. Section 17.3.13).

l Also included in this explanation of the D-RAP is a descriptive example of how the D-RAP will apply to one potentially important plant system, the Component Cooling Water System (CCWS). The CCWS 1 example shows how the principles of D-RAP will be applied to other systems identified by the PRA as I being significant with respect to risk.

17.3.2 Scope -

t The System 80+ D-RAP will include the design evaluation of the System 80+, and it will identify relevant aspects of plant operation, maintenance and performance monitoring of plant risk-significant !

SSCs. The PRA for the System 80+ and other industry sources will be used to identify and prioritize !

those SSCs that are important to prevent or mitigate plant transients or other events that could present a risk to the public.

17.3.3 Purpose

The purpose of the D-RAP is to assure that the plant safety, as estimated by the PRA, is maintained as i the detailed design evolves throughout the implementation and procurement phases and that pertinent information is provided in the design documentation to the future owner / operator. It is expected that the

COL applicant will use this information so that equipment reliability and availability, as it affects plant !

safety, can be maintained through operation and maintenance during the entire plant life.

3 COL information itern; see DCD Introduction Section 3.2.

4prowser Des 4r Messnist c4 Aeprem trari esp. t7.3 r i

--- - - - - - . - , , . E

System CO + Design ControlDocument 17.3.4 Objective The objective of the D-RAP is to identify those plant SSCs that are significant contributors to risk, as shown by the PRA or other sources, and to assure that, during the implementation phase, the plant design continues to utilize risk-significant SSCs whose reliability is commensurate with the PRA assumptions.

The D RAP will also identify key assumptions regarding any operation, maintenance and monitoring activities that the owner / operator should consider in developing its operations reliability assurance process to assure that such SSCs can be expected to operate throughout plant life with a reliability consistent with that assumed in the PRA.

A major fac:or in plant reliability t surance is risk-focused maintenance (Reference 17.3-1). Maintenance resources are focused on those SSCs that enable the System 80+ risk-significant systems to fulfill their safety-related functions and maintain the safety margins. Also, maintenance is focused on SSCs whose failure may directly initiate challenges to risk-significant systems. All plant modes are considered, including equipment directly relied upon in emergency operating procedures (EOPs). Such a focus of maintenance will help to maintain an acceptably low level of risk consistent with the PRA.

17.3.5 ABB-CE Organization for D-RAP The project organization used for the detailed design of System 80+, shown in Figure 17.3-1, was integrated and the responsibility to meet the D-RAP objectives rests with the Projet Director. Regular meetings are scheduled to coordinate all the design and D-RAP activities with participatica of Engineering Manager, PRA and D-RAP Program Manager, the Project Integration Manager, the Quality Assurance Manager, Regulatory Conformance Manager and other managers as necessary. During these meetings, design changes and the impact on the overall plant performance are identified, and discussions about the impact of these changes on plant risk are held. Management meetings are also held in which programmatic issues affecting the System 80+ design are discussed. The responsibilities of each organization in the D-RAP plan are as follows:

The Project Director is responsible for the programmatic aspects of the plant design as well as the overall direction of the project, certification and licensing issues. The NSSS Design Manager is responsible for the design of the nuclear steam supply system. The Regulatory Conformance Manager has the responsibility of addressing any regulatory concerns and bringing these concerns to the attention of the Project Integration Manager and PRA and D-RAP Program Manager.

The Nuclear Steam Supply System (NSSS) Design Engineering organization is the core of the RAP and it is responsible for the design of the System 80+ NSSS. It is in this group where the NSSS design and drawings are developed with inputs from the Mechanical, Instrument and Controls, Reactor, and Fluid Systems subgroups. It is also in this organization where the PRA models are developed as well as the Technical Specifications and plant procedures.

The PRA and D-RAP Program Manager is responsible for managing and integrating the D-RAP Program and has direct access to the System 80+ Project Integration Manager and is responsible for keeping him ,

abreast of D-RAP critical items, program needs and status. The PRA and D-RAP Program Manager or l his designee will attend all of the design review and progress meetings. He has organizational freedom 10: '

Identify D-RAP problems; e initiate, recommend or provide solutions to problems through designated organizations; I

Approwe Dessyn r MaterW . GA Program Page 17.3-2

V Svstem 80 + - Dengan career coewnent

.e Verify implementation of solutions; and e Function as an integral part of the design team and final design process.

The PRA and D-RAP Program Manager is in the department which performs reliability analyses, risk assessments and PRAs. This group reports to the NSSS Design Manager, through the PRA and D-RAP Program Manager (Figure 17.3-1). The PRA input to the D-RAP and any of the System 80+ reliability analyses will be performed in this group and will be integrated into the design organization.

The Quality Assurance, orgamzation provides quality. control by performing regular audits and participating in the scheduled meetings to discuss System 80+ issues.

((The COL applicant completing detailed design and equipment selection during the design phase, should

- submit its specific D-RAP organization for the NRC to review (COL Item 17-2). ))3 17.3.6 SSC Identifteadaa/Priorid=daa The PRA prepared for the System 80+ will be the primary source for identifying risk-significant SSCs that should be given special consideration during the detailed design and procurement phases and/or considered for inclusion in the operations reliability assurance process. The method by which the PRA is used to identify risk-significant SSCs is described below. The PRA insights are st.oo iwi in Section 19.15 and the system and component importance is given in the System 80+ PRA. It is also possible that some risk-significant SSCs will be identified from sources other than the PRA, such as nuclear plant operating experience, other industrial experience and relevant component failure data bases.

Table 17.3-4 gives the sections in the ADM where systems and equipment are specified to be included in the D-RAP. The primary source for the identification of systems and equipment to be included in the D-RAP is the PRA. A Level III Probabilistic Risk Assessment has been performed for the System 80+

design. The PRA evaluates the plant response to initiating events to assure that the risk to the public is also very low. Input to the PRA includes details of the plant design and assumptions about the reliability of the plant risk-significant SSCs. The results of the PRA include such things as core damage frequencies and the combination of equipment failures that lead to core damage or large releases.

The primary analytical measure used is the Risk Achievement Worth (RAW). It represents how the Core Damage Frequency (CDP) would increase if the system or component always failed (i.e., failure probability of 1.0/ demand). It gives an extreme measurement of how the risk would be affected if a system or component were poorly designed, selected, installed, maintained, or operated. This measure is given in the System 80+ PRA for internal events. For example, assume the steam generator atmospheric dump valves have a RAW of 5.14. If these valves were incapable of performing their task, the total core damage frequency would increase by a factor of 5.14.

. Advanced Light Water Reactors (ALWRs), in general, have a CDP that is approximately an order of magnitude lower than the existing plants. For the D-RAP program, risk significant SSCs are those SSCs that have a RAW of five or greater. The equipment not included in D-RAP will have a RAW less than

5. This means that if the excluded equipment it poorly designed, selected, or installed so that it has a near zero reliability, the predicted CDP would still be lower than that of the average existing plant by a factor of two. In the example of the atmospheric dump valves, because of the relative sensitivity i COL information item; see DCD Introduction Section 3.2.

Anwewed Deenp naneerser. On Movem rene 17.2-3

l System 80 + Design ControlDocument j (RAW ;t 5), the D-RAP would include them to assure the proper design, selection, installation, and j j

maintenance. .

Another analytical measure to identify risk significant SSCs is the Risk Reduction Worth (RRW). This is a measure of how the CDF would be reduced if the component had a perfect reliability (failure probability 0.0/ demand). The measure given is the ratio of the base CDF divided by the RRW CDF and is greater than 1.0. In the shutdown PRA, the inverce value is used. j i

The third analytical measure is the Fussell-Vesely Worth (FVW). This gives the fraction of the base l CDF that failure of the component contributes to the CDF. It is the best estimate for the importance of l a component in the current design. '

l 1

Risk Significant SSCs are also selected based on regulations and engineering judgment. For example, equipment specified in 10CFR50.62 is considered. Risk significant SSCs as described in Section 3.3.1.4 l of ANSl/ANS-51.1 are considered in the equipment classified as QC-2 in Table 3.2-1. l l

17.3.6.1 LevelI Analysis l l

The Level I analysis follows an accident sequence from an initiating event through failures of various )

safety functions to an end state which results in core damage. The Level I analysis also predicts the !

frequency and dominant contribution to core damage.

The System 80+ PRA gives the component importance for System 80+ for internal events using different importance measurements. As discussed above, components with a PAW (RAW, change in risk if failure rate is 1.0) greater than five are selected for the D-RAP program. The System 80+ PRA highlights the components with RAWS greater than 5. l The System 80+ PRA gives the Risk Reduction Worth for the components for internal events. The RRWs represent the reduction of risk with a component having a zero failure rate. The components with l the RRWs greater than 1.1 are selected for the D-RAP and have been highlighted. SSCs with a RAW )

between 2.0 and 5.0 are selected if their RRW is greater than 1.05.

The Fussell-Vesely Worth is a measure of what fraction of the CDF the component failure contributes. l i

The System 80+ PRA gives the Fussell-Vesely Worth for the components and failure modes. Using a selection criteria of 10%, components are selected for the D-RAP.

17.3.6.2 LevelII Analysis The Level Il analysis predicts vessel failure, the containment response, and ascertains the likelihood, magnitude, and timing of radiological releases to the environment. The System 80+ PRA describes a l containment response and sensitivity analysis for the Level II of the PRA. The containment sprays were l' added to D-RAP based on discussions in Section 19.11. The System 80+ PRA shows the sensitivity of the risk consequences to various Level 11 assumptions. Only one assumption (failure to isolate containment) showed a noticeable effect (sensitivity case / base case > 5) on releases. The other assumptions increase the risk by much less.

17.3.6.3 External Events External events are considered in the System 80+ PRA and include tornado, fire, flooding, and seismic O! '

events.

Approved Design Meterte!. QA Program Page 17.3 4

Sv' tem 80+ Denian caneet Docarmut The CDF due to tornado strike events is determined in the System 80+ PRA. The event is modeled as loss of offsite power for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months with the alternate AC source also being unavailable. Section 19.15 describes the insights from this event. Failure of the diesels is the dominant cause and the designers are reminded of the importance of this safety equipment. Clogging of the Station Service Water (SSW) intake structure with tornado generated debris was also found to be important and the intake structure design ,

has been included in the D-RAP. !

l The risks associated with fires are discussed in the System 80+ PRA. Fires represent a small risk to )

the plant as long as the three-hour fire barriers are designed and maintained between the ' divisions I (Section 19.15). Fire barrier design has been included in the D-RAP.

Flood analysis is presented in the System 80+ PRA and the insights are given in Section 19.15. In a ,

scoping analysis, the CDF from flooding was estimated as being very small. The existence of the flood i barriers dominates the risk and has been added to the D-RAP.

l

'Ihe seismic analysis is presented in the System 80+ PRA. The first dominant contributor to the plant i HCLPF (High Confidence of Low Probability of Failure) is seismically induced gross structural failure l

.due to a seismically hduced failure / overturning of the containment vessel, which is assumed to lead I directly to core damage and containment failure. The second dominant contributor to the plant HCLPF I is a seismically induced LOCA in excess of ECCS capacity caused by a seismically induced failure of l the RCP supports.

l l

There are three sequences where the contributor to the plant HCLPF due to " mixed cutsets" is potentially significant. A " mixed cutset" contains both seismic failures and random failures. These sequences are O SEIS-SBO, EQA-15 and EQA-9. SEIS-SBO is a seismic induced loss of offsite power with random failures of the diesels and alternate AC source leading to a station blackout and battery depletion. EQA-15 is a seismically induced NrWS carly in the core life. The ATWS was assumed to be caused by seismic deformation of the upper guide structure and leads to a small LOCA from failed check valves.

EQA-9 is another ATWS sequence with failure of the charging system to provide long term reactivity i j control. The Safety Depressurization System also fails so that the Safety Injection System can not be used l for reactivity control. The structures and equipment associated with these external events have been 4

,' added to the D-RAP.

1 17.3.6.4 Shutdown Analysis The shutdown risk assessment for System 80+ was performed with the insights presented in Section 19.15. An importance analysis was performed for the branch points of the event trees. The branch points contain initiating events, the operator errors, and the equipment failures (fault tree cutsets) for the systems. The branch points with RAW values greater than five or inverse RRWs less than 0.8 or FVW greater than 0.1 have been included in D-RAP.

17.3.6.5 Other Sources

On October 4 6,1993, a panel of engineers from ADB-CE met to establish important PRA-based safety insights for System 80+ and recommend at what tier in the licensing environment they should be

, addressed. Reconunendations for D-RAP and operations reliability assurance process were made.

, Design engineers have chosen to place their equipment into the D-RAP program. The references for this equipment are given in Table 17.3-4.

Asymes some asaw ouey.= pnee rr.s-s

l l

System 80+ Design ControlDocument 1

17.3.7 Design Considerations l

The reliability of risk-significant SSCs, which are identified by the PRA, will be evaluated at the detailed ;

design stage by appropriate design reviews and reliability analyses. Current data bases will be used to l identify appropriate values for failure rates of equipment as designed, and these failure rates will be l compared with those used in the PRA. Normally, the failure rates will be similar, but in some cases they l may differ because of recent design or data base changes. Whenever failure rates of designed risk- l significant SSCs are significantly greater than those assumed in the PRA, an evaluation will be performed i to determine if the equipment is acceptable or if it must be redesigned to achieve the appropriate reliability.

For those risk-significant SSCs, as indicated by the PRA or other sources, component redesign (including selection of a different component) will be considered as a way to reduce the Core Damage Frequency (CDF) contribution. (If the system unavailability or the CDF is acceptably low, less effort will be expended toward redesign). If there are practical ways to redesign a risk-significant SSC, it will be redesigned and the change in system fault tree results will be calculated. Following any redesign, dominant SSC failure modes will be identified so that protection against such failure modes can be accomplished by appropriate activities during plant life. The design considerations that will go into determining an acceptable, reliable design and the SSCs that should be considered for the operations reliability assurance process are illustrated in Figure 17.3-2.

Using the PRA or other design documents, the designer will identify to the COL applicant / holder the risk-significant SSCs, their associated failure modes and consequence, and reliability and availability assumptions, including any pertinent bases and uncertainties considered in the PRA. The designer will also provide this information for the COL applicant / holder to consider in developing an operations reliability assurance process to help assure that the PRA results will be achieved over the life of the plant.

This information can be used by the COL applicant / holder for establishing appropriate reliability and availability targets and the associated maintenance practices for achieving them.

((The COL applicant / holder shall develop, as part of :he D-RAP and operations reliability assurance process, a life-cycle management plan to aid in the design and operation activities intended to achieve the l design life objectives. [ COL Items 17-2,17-3))] The life-cycle management plan shall be initiated early enough in the design completion process to; 1) aid in the application, selection, and procurement of components with optimum design life characteristics, and 2) develop an aging management plan capable of assuring the plant's original design basis throughout its life.

The aging management plan shall cover (but not necessarily be limited to) containment structures, liner plates, embedded or buried structural components, piping, and other components.

The plan shall consider the potential causes of corrosion which ultimately may be present at the site, including the potential corrosion from copper ground mats. The plan should be initiated early in the design process so that adequate provisions for mitigation measures can be made.

In developing the life-cycle management plan, the COL applicant / holder shall consider the design life requirements prescribed in Section 11.3 [" Design Life"] of the EPRI Utility Requirements Docum nt (URD) and the insights gained from the Nuclear Plant Aging Research Program (e.g., NUREGICR-4731 and NUREG/CR-5314).

O 8

COL information item; see DCD Introduction Section 3.2.

4prend Desigrs Materiel QA Program (1/97) Page 17..%

i System 80+ Deskn ControlDocument

(

( 17.3.8 Defining Failure Modes The determmation of dommant failure modes of risk-significant SSCs will include historical information, analytical models and existing requirements. Many PWR systems and components have compiled a significant historical record, so an evaluation of that record comprises Assessment Path A in Figure 17.3-

3. Details of Path A are shown in Figure 17.3-4.

For those SSCs for which there is not an adequate historical basis to identify critical failure modes, an analytical approach is necessary, shown as Assessment Path B in Figure 17.3-3. The details of Path B are given in Figure 17.3-5. The failure modes identified in Paths A and B are then reviewed, including the existing maintenance activities in the industry and the maintenance requirements (Assessment Path C in Figure 17.3-3). Detailed steps in Path C are outlined in Figure 17.3-6.

17.3.9 Operations Reliability Assurance Activities Once the dominant failure modes are determined for risk-significant SSCs, an assessment should be used to determine suggested operations reliability assurance process activities that will assure acceptable performance during plant life. Such activities may consist of periodic surveillance inspections or tests, monitoring of SSC performance, and/or periodic preventive maintenance (Reference 17.3-1). An example of a decision tree that would be applicable to these activities is shown in Figure 17.3-7. As indicated, some SSCs may require a combination of activities to assure that their performance is consistent with the PRA.

Periodic testing of SSCs may include startup of standby systems, surveillance testing of instrument

[V] circuits to assure that they will respond to appropriate signals, and inspection of passive SSCs (such as tanks and pipes) to show that they are available to perform as designed. Performance monitoring, including condition monitoring, can consist of measurement of output (such as pump flow rate or heat exchanger temperatures), measurement of magnitude of an important variable (such as vibration or temperature), and testing for abnormal conditions (such as oil degradation or local hot spots).

1 Periodic preventive maintenance is an activity performed at regular intervals to preclude problems that )

could occur before the next preventative maintenance (PM) interval. This could be regular oil changes, i replacement of seals and gaskets, or refurbishment of equipment subject to wear or age-related degradation. The designer could provide the COL applicant with recommended reliability activities such as providing limitations for assuring reliability, and methods to determine service life, if known.

Planned maintenance activities should be integrated with the regular operating plans so that they do not disrupt normal operation. Maintenance that will be performed more frequently than refueling outages I must be planned so as to not disrupt operation or be likely to cause reactor scram, engineered safety feature (ESP) actuation, or abnormal transients. Mair;tenance, planned for performance during refueling j outages, must be conducted in such a way that it will have little or no impact on plant safety, on outage l length, or on other maintenance work.

As plant experience data accumulates, the failure rates and human error rates in the cperations reliability !

assurance process should be updated. These failure rates were used by the designer in the PRA.

l V

Anwone u ww as n oram r ,.17.17 l

System 80+ Design ControlDocument l

((The COL applicant should provide a complete operations reliability assurance process description to be reviewed by the NRC (COL Item 17-3)))!. j 1

17.3.10 Operations Reliability Assurance Process

((The operations reliability assurance process that is expected to be prepared and implemented by the COL applicant (COL Item 17-3) should make use of the information provided by the designer.))' This l information will help the owner / operator determine activities that should be included in the operations ;

reliability assurance process. Examples of elements that might be included are as follows:

Reliability Performance Monitoring - Measurement of the performance of equipment to determine that it is accomplishing its goals and/or that it will continue to opente with low probability of failure and high availability. Monitoring should preferably be predictive in ru mre to prevent loss of critical functions.

Reliability Methodology - Methods by which the plant / operator can compare plant data to the SSC data in the PRA.

1 i

Problem Prioritization -Identification, for each of the risk- significant SSCs, of the importance of that item as a contributor to its system unavailability and assignment of priorities to problems that are detected with such equipment. l Root Cause Analysis - Determination, for problems that occur regarding reliability of risk-significant i SSCs, of the root causes, those causes which, after correction, will not recur to again degrade the (

reliability of equipment. l Corrective Action Determination -Identification of corrective actions needed to restore equipment to its required functional capability and reliability, based on the results of problem identification and root cause analysis, j l

Corrective Action Implementation - Car.ying out identified corrective action on risk-significant equipment to restore equipment to its intended function in such a way that plant safety is not compromised during work.

Corrective Action Verification - Post-corrective action tasks to be followed after maintenance on risk- j l

significant equipment to assure that such equipment will perform its intended functions.

Plant Aging - Some of the risk-significant equipment is expected to undergo age related degradation that will require equipmmt replacement or refurbistunent.

Feedback to Designer - The plant owner / operator should periodically compare performance of risk- j significant equipment to that specified in the PRA and D-RAP, and, at its discretion, may send SSC j performance data to plant or equipment designers in those cases that consistently show performance below that specified. The plant owner / operator should consider participation in the CEOG.

Programmatic Interfaces - Reliability assurance interfaces related to the work of the several organizations and personnel groups working on risk-significant SSCs.

O' 3

COL information item; see DCD Introduction Section 3.2.

Approwd Design Meterial- QA Program Pope 17.34

System 80+ Design contmlDocument (m)

Maintenance Rule Integration - The plant owner / operator should consider the integration or interface of operations reliability assurance process and the requirements of 10 CFR 50.65 which require the operator to develop a maintenance program for risk significant SSCs or SSCs that could produce trips or transients.

The plant owner's operations reliability assurance process should address the interfaces with construction, startup testing, operations, maintenance, engineering, safety, licensing, quality assurance and procurement of replacement equipment.

17.3.11 D-RAP Implementation An example of implementation of the D-RAP is given for the Component Cooling Water System (CCWS). This system was selected as an example because it was a support system and was found in the earlier System 80 PRA to contain risk-significant components. Because of this finding, and through the D-RAP organization described in Section 17.3.5, the design was changed. The design and analytical results, as presented in this chapter, is presented only as a D-RAP example and does not necessarily correspanh the current System 80+ design.

17.3.11.1 CCWS Function The Component Cooling Water System (CCWS) is a closed loop system that provides cooling water flow to remove heat released from plant systems, structures, and components. The CCWS functions to cool the safety-related and non-safety-related reactor auxiliary loads.

O Ileat transferred by these components to the CCWS is rejected to the Station Service Water System l

'V (SSWS) via the CCWS heat exchangers.

17.3.11.2 Earlier CCWS Design ,

i The System 80+ Design is an evolutionary plant and improvements were included with input from the earlier System 80 PRA. The earlier CCWS design is shown in Figure 17.3-8 and described in more detailin section 5.3.19 of Reference 17.3-2. It consisted of two independent, closed loop, safety trains.

Each train contained one pump that was on standby. One of the major insights of the System 80 PRA (Section 8.2 of Refeience 17.3-2) was that loss of the CCWS was a dominant cause of front-line system l failure. Failure of the CCWS pumps to start and mn was one of the dominant failure modes. l 17.3.11.3 System Redesign To more easily meet the desired CDF for the ALWR, the CCWS required a redesign using the process identified in Figure 17.3 2. This redesign was also helped by design review meetings where the Project Manager for the RAP and PRA discussed with the designers the PRA results, including failure modes and importance of support systems to front line safety systems. An example of an improved CCWS design is given in Figure 17.3-9 and an example of analytical results are presented in Tables 17.3-1 and 17.3-2. Details of the actual System 80+ CCWS design and reliability analysis are given in the System 80+ PRA and do not necessarily correspond to the example presented here.

fy

)

LJ Apprend Destgru historial- QA Program (2/95) Page r7.3-9

System 80+ Design ControlDocument The improved CCWS design contains two trains (only one is shown in Figure 17.3-9). Each train contains two pumps and one pump is kept running at all times. This design elin?.nated the important h

failure mode of the CCWS pump failing to start which was observed in the eacher design. Table 17.3-1 gives an example of the components importance for internal events for an ALWR. The Fussell-Vesley l Importance is the fraction of the CDF contributed by failure of that component. The first CCWS component is only ranked 49* in importance based on this measure. The components in the improved CCWS meet the criteria that they have a small impact on risk (bottom of Figure 17.3-2) and can be considered in an operations reliability assurance process.

17.3.11,4 Failure Mode Identification Figure 17.3 3 gives two methods for operations reliability assurance process evaluation, using failure history or analytical methods. For this example, an analytical method as represented in Figure 17.3-5 was used. Figure 17.3-10 gives an example of the upper level fault tree to analyze failure modes for Train 1 of an improved CCWS. Table 17.3-2 gives an example of the ranking of the risk significant SSCs for Train 1. There is also a second train not evaluated in this table. Because this CCWS design is an evolutionary design using standard components, a search of the operational data bases for component failure rates and operations experience is also possible using Figure 17.3-4, but was not used in this example.

Following the flow chart of Figure 17.3-5, the designer would determine more details about each failure mode, including pieceparts most likely to fail and the frequency of each failure mode category or piecepart failure. This would result in a list of the dominant failure modes to be considered in the operations reliability assurance process. ASME Section XI requirements for inspection and other mandated inspections and tests would be iden9ed, as indicated in Figure 17.3-6.

Examples of the types of failure modes that could impact reliability of these identified components are ,

shown in Table 17.3-3. The example is not a complete listing of the important failure modes, but is intended to indicate the types of failures that would be considered.

17.3.11.5 Identification of Maintenance Requirements ;

For each identified failure mode, the appropriate maintenance tasks will be identified to assure that the failure mode will be (1) avoided (2) rendered insignificant, or (3) kept to an acceptably low probability.

The type of maintenance and the maintenance frequencies are both important aspects of assuring that the equipment failure will be consistent with that assumed for the PRA. As indicated in Figure 17.3-7, the designer would consider periodic testing, performance testing or periodic preventive maintenance as possible operations reliability assurance process activities to keep failure rates acceptable.

For the CCWS, one pump in each train is in operation and all the valves in that flow path are open. An example of the possible maintenance and testing follows and is summarized in Table 17.3-3. Minor PM on the pumps will be performed based on the recommendations of the vender (8000 hrs of operation, for example) and a major overhaul would be performed every 50,000 hrs of operation. Only maintenance i on one pump will be performed at a time during Modes 1 through 4. The most frequent surveillance requirement for the CCWS might be to verify that each CCW manual, power-operated or automatic valve in the flow path servicing essential equipment, that is not locked, sealed, or otherwise secured in position, !

is in its correct position. This test is performed every 31 days. Additionally, there is a surveillance !

requirement that every 18 months, it must be demonstrated that each CCW automatic valve actuates and ,

each CCW pump starts on an actual or simulated actuation signal. Example of maintenance activities and j i

Approved Design nieterW- GA hogram (2/95) Pope r7.310 l

l

System 80+ Design ControlDocument

/ %

(-) frequencies are shown ut Table 17.3-3 for each identified failure mode. The D-RAP will include documentation of the basis for each suggested operations reKability assurance process activity.

17.3.12 Glossary of Terins and Acronyrns ALWR Advanced Light Water Reactor ASME American Society of Mechanical Engineers CCWS Component Cooling Water System CDF Core Damage Frequency, as calculated by the probabilistic risk assessment.

CEOG Combustion Engineering plant Owners Group.

CFR Code of Federal Regulations CL Combined License D-RAP Design Reliability Assurance Program, Performed by the plant designer to assure that the plant is designed so that it can be operated and maintained in such a way that the reliability assumptions of the probabilistic risk assessment apply throughout plant life.

EOP Emergency Operating Procedure EPRI Electric Power Research Institute ESF Engineered Safety Features I&C Instruments & Controls Owner / Operator The utility, COL applicant, or other organization that owns and

,/^) operates the System 80+ following construction.

C/ PM Preventative Maintenance PRA Probabilistic Risk Assessment - Performed to identify and quantify the risk associated with the System 80+

PWR Pressurized Water Reactor RAP Reliability Assurance Program RCM Reliability Centered Maintenance Risk-Significant Those structures, systems and components which are identified as contributing significantly to the system unavailability.

SSC Structures, Systems, and Components SSWS Station Service Water System 17.3.13 COL Information 4

Policy and Implementation Procedures for D-RAP

((The COL applicant will specify the policy and implementation procedures for using D-RAP information.))8 (See Subsection 17.3.1) (COL Item 17-2).

1

/

\ %,

i 8

COL information item; see DCD Introduction Section 3.2.

Anwmd Dessa ntatenet- OA Program rage 11.31y l

System 80+ Design ControlDocument

D-RAP Orgamzation

((The COL applicant completing its detailed design and equipment selection during the design phase, must submit its specific D-RAP organization for NRC review.))I (See Subsection 17.3.5)

(COL Item 17-2)

Provision for Operations Reliability Assurance Process

((The COL applicant will implement an operations reliability assurance process, to be reviewed by the NRC in the plant's maintenance program, QA program, or other existing programs.JJ' (See Subsection 17.3.9) (COL Item 17-3) 17.3.14 References 17.3-1 Lofgren, E. V., et al., "A Process for Risk-Focused Maintenance," SAIC. NUREG/CR-5695, Merch 1991 17.3-2 " Base Line Level 1 Probabilistic Risk Assessment for the System 80 NSSS Design," ABB-CE, January,1988.

O l

8 COL information item; see DCD Introduction Section 3.2. l I

Awmd usw unww aA wm e ,,,s7.3.s2

System 80+ Design controlDocument U fable 17.3-1 Example of Cornponent hnportance for an ALWR for Internal Events Fussell-Vesley Component Component Description Irnportance AEFP1031NDD Failure of EFW System Turbine Driven Pump EFWP-103 to Start 1.12E-1 AEFP10lINDD Failure of EFW System Turbine Driven Pump EFWP-101 to Stan 1.04E-1 HPMXA4 Common Cause Failure of 4 Out of 4 SI Pumps 8.22E-2 EDGAINDD Diesel Generator A Demand Independent Faults 7.91E-2 EDGBINDD Diesel Gene ator B Demand Independent Faults 7.71E-2 HPMXA3 Common Cause Failure of 2 or More S1 Pumps 4.87E-2 FSSOSIAS Operator Fails to Generate SIAS 3.85E-2 FSSXSIAS Common Cause Failure of Safety injection Actuation Signal 3.85E-2 HPMXAl Common Cause Failure of 3 or 4 SI Pumps 3.55E-2 IIVMXD2 Common Cause Failure of 2 of 2 Hot Leg injection Valves 3.39E-2 EDDXDG Common Cause Failure of Diesel Generators 3.33E-2 (J HVMXC1 Common Cause Failure of 3 out of 4 DVI Motor Valves 2.06E-2 liVMAGS1312 Hot 1.eg Injection Motor Valve SI 312 Group Fails to Open 1.92E-2 IIVMAGS1313 Hot Leg injection Motor Valve SI-313 Group Fails to Open 1.92E-2 HVMAGS1412 Hot Leg injection Motor Valve SI-412 Group Fails to Open 1.92E-2 HVMAGS1413 Hot Leg injection Motor Valve SI-413 Group Fails to Open 1.92E-2 IIVMXC4 Common Cause Failure of 4 Out of 4 DVI Motor Valves 1.41E-2 IIPMJGSIP301 St Pump SI P301 Group Fails to Start 1.39E-2 IIPMJGSIP401 SI Pump SI-P401 Group Fails to Stan 1.39E-2 APTX-EFP12 Common Cause Failure of Turbine Driven EFW Pumps 1.14 E-2 EFWP101/103 DVPBADVS ADVs on Ruptured SG-2 Fails to Reclose 8.07E-3 ELBX125CIE Common Cause Failure of Class 1-E 125 VDC Buses 7.75E-3 EBATillNDU Battery 11 Unavailable 5.71E-3 CVMAMV123 CCW/CS Heat Exchanger Isolation MOV MV-123 Fails to Open 4.90E-3

.f 3

\

v

)

AsyvovesiDesign ataternt- QA Program Pope 17.313

System 80+ Design ControlDocument Table 17.3-1 Example of Cornponent Importance for an ALWR for Internal Events (Cont'd.)

Tussell-Vesley Component Component Description Importance liVMOSI304 Motor Valve SI-304 not Open Due to Pre-Existing Error 4.80E-3 EBATIINDU Battery I Unavailable 4.16E-3 AEFP102iNDD Failme of EFW System Motor-Driven Pump EFWP-102 to Stan 4.12E-3 CVMAMV124 CCW/SCS IIcat Exchanger Isolation MOV MV-124 Fails to Open 3.91E-3 JVMAGSil27 SCS Motor Valve SI 127 Fails to Open 3.91E-3 GVMXA2 Common Cause Fa' Jure of CTMT Isolation Valves SI-144/SI-244 3.39E-3 FSERAPS No (EFAS) Actuation Signal from Alternate Protection System 3.15E-3 FSEX-EFAS Common Cause Failure of Emergency Feedwater Actuation Signal 3.15E-3 IIPMKSIP301 St Pump SI-P301 Fails to Operate 3.01E-3 IIPMKSIP401 SI Pump SI-P401 Fails to Operate 3.01E-3 APMX-EFP22 Common Cause Failure of Motor-Driven EFW Pumps 2.92E-3 ,

EFWP-102/104 IIVMXC3 Common Cause Failure of 2 or More DVI Motor Isolation Valves 2.10E-3 APMKEFP102 EFW System Motor Driven Pump EFWP-102 Fails to Operate 2.06E-3 JVMAGSI120 SCS Motor Valve SI 120 Fails to Open 1.87E-3 JVMAGSil21 SCS Motor Valve SI-121 Fails to Open 1.87E-3 ll JVMAGSil22 SCS Motor Valve SI-122 Fails to Open 1.87E-3 JVMAGSil29 SCS Motor Valve S1-129 Fails to Open 1.87E 3 I l

GVMAGS1244 CTMT Spray Motor Valve Sf-244 Fails to Open 1.51E-3 1 CVMAMV223 CCW/CS licat Exchanger Isolation MOV MV-223 Fails to Open 1.51E-3 AVCAEF214 Non-Safety Condensate Source Check Valve EF-214 Fails to Open 1.50E-3 AVNAEF215 Non-Safety Source 150. Manual Valve EF-215 Cannot Be Opened 1.50E-3 IIVMOS1204 Motor Valve S1-204 Not Open Due to Pre-Existing Error 1.39E-3 GVMAGSil44 CTMT Spray Motor Valve SI-144 Fails to Open 1.36E-3 GliRVCSIIXl CTMT Spray IIcat Exchanger i Unavailable Due to Maintenance 1.24 E-3 cpl!X-CCWP44 Common Cause Failure of All Four (4) CCW Pumps (to Start) 1.16E-3 j 1

AS4weved Desiges Meteniel GA Program Page 17.3-14 l

1

System 80+ Design ControlDocument I A-b Table 17.3-1 Example of Component Importance for an ALWR for Internal Events (Cont'd.) ,

Fussell-Vesley Coenponent Component Description Importance CPMX ESWSP44 Conunon Cause Failure of All Four (4) ESWS Pumps (to Start) 1.16E-3 CVNOV234-235 CCW Manual Valves V-234/235 for SI Pump 2 N.O. Due to M.E. 1.14E-3 CVNOV236-237 CCW Manual Valves V-236/237 for St Pump 4 N.O. Due to M.E. 1.14E-3 FSXX-HITEMP Common Cause Failure of CS High Temperature Actuation Signal 1.08E-3 FSSXCSAS Common Cause Failure of Containment Spray Actuation Signal 1.08E-3 IIVMOS1104 Motor Valve SI-104 not Open Due to Pre-Existing Error 1.01E-3 A

b

\

()

w <o ,a --a w , e 17.s.,s

System 80+ Design ControlDocument Table 17.3-2 Example of Risk-Significant Ranking of SSCS for the CCWS Train 1 RanklH/ Component Name Description

1) CVNDCC-1316 Manual Valve CC-1316 Fails to Remain Open

2) CPBKCCWPIA Component Cooling Water Pump 1A Fails to Run CPBVCCWPIB CCW Pump IB Unavailable Due to Maintenance

3) CPBJCCWP1B CCW Pump IB Fails to Start CPBKCCWPIA Component Cooling Water Pump 1 A Fails to Run

4) CHFlfC-1305 Valve CC-130$ not Opened Due to Pre-existing Maint. Error CPBKCCWPIA Component Cooling Water Pump 1A Fails to Run

5) CHWEHX1A CCW/SW Heat Exchgr. I A Fails While Operating CVMACC-107 MOV CC-107 Fails to Open

6) CHWEHX1A CCW/SW Heat Exchgr I A Fails While Operating CVMACC-109 MOV CC-109 Fails to Open

7) CHWEllX1A CCW/SW Heat Exchngr I A Fails While Operating l CVMASW-123 MOV SW-123 Fails to Open

8) CHWEHX1A CCW/SW Heat Exchngr I A Fails While Operating CVMASW 121 MOV SW-121 Fails to Open

9) CHFFSTBHX1B Operator Fails to Open CCW HX IB Isolation Valves CliWEHX1A CCW/SW Heat Exchngr I A Fails While Operating

10) CBDBCCWPIB 4.16 Ky Circuit Breaker IB Fails to Close CPBKCCWPIA Component Cooling Water Pump 1 A Fails to Run

11) CPBVCCWPIB CCW Pump IB Unavailable Due to Maintenance CVCDCC-1302 Check Valve CC-1302 Fails to Remain Open

12) CBDQCCWPIA 4.16 Kv Circuit Breaker I A Trips Spuriously CPBVCCWPIB CCW Pump IB Unavailable Due to Maintenance l 13) CPBKCCWPIA Component Cooling Water Pump 1 A Fails to Run CVCACC-1303 Check Valve CC-1303 Fails to Open

14) CPBJCCWPIB CCW Pump 1B Fails to Start CVCDCC-1302 Check Valve CC-1302 Fails to Remain Open i

AMvend Des &n nieterM- QA Program (2/95) Page 17.316 i

I System 80+ oeslan controlDocument I

( Table 17.3-2 Example of Risk-Significant Ranking of SSCS for the CCWS Train 1 (Cont'd.)

RanklH/ Component Name Description

15) CBDQCCWPIA 4.16 Kv Circuit Breaker I A Trips Spuriously CPBJCCWPIB CCW Pump 1B Fails to Start

16) CPBKCCWPIA Component Cooling Water Pump 1 A Fails to Run CPBXDCCWP!B-2B Common Cause Demand Failure of CCWPs IB,2B

17) CPBKCCWPIA Component Cooling Water Pump 1 A Fails to Run CPBKCCWPIB Component Cooling Water Pump 1B Fails to Run

18) CHFLCC-1305 Valve CC-1305 not Opened Due to Pre-Existing Maintenance Error CVCDCC-1302 Check Valve CC-1302 Fails to Remain Open

19) CHWEHX1A CCW/SW Heat Exchngr I A Falls While Operating CHWVHX1B CCW HX IB Unavailable Due to Maintenance ;

20) CVMACC-107 MOV CC-107 Fails to open U CVMDCC-108 MOV CC-108 Fails to Remain Open l

l l

1 l

l i

1 I

i v)

(

Anwonet Deshpn nieserW. GA hoprem rege 17.317

System 80+ Design ControlDocument Table 17.3-3 Example of CCWS Failure Modes & Operations Reliability Assurance Process Activities Component Failure Mode /Cause Recommended Maintenance Maintenance Intervals Basis CCWS Pump Fails to Start, Electrical Functional Test Pump 18 Months Experience with Other Pumps Fails to Run, Mechanical Functional Test 18 Months Experience with Other Pumps Minor PM 8000 Op. Hrs Pump Vendor Major PM 50000 Op. Hrs Pump Vendor traking Seals, Oaskets Visual Inspection 31 Days ASME Code CCWS MOV Fails to Open Functional Test 31 Days Experience with MOVs Manual Valve Fails to Remain Open Inspect Valve Interior 5 Yrs Corrosion Experience Ixft Closed. Op. Error Functional Test After Maintenance Operating Experience lleat Falls, Irakage Walkdown 31 Days Operating Exchanger Experience Fouling Monitor AP, AT 7 Day Trending Operating Experience 1

l l

e i

Approwuf Design Meteriet. QA Program Page 17.3-18

System 80+ Design ControlDocument O

Tnble 17.3-4 Reference Locations Where D-RAP Systems and Equipment are specirmi System or Equipment Reference From PRA Risk-Significant SSCs for Inclusion in D-RAP Table 19.15.6-1 PRA, Level I Equipment System 80+ PRA Seismic Fragilities System 80+ PRA ;

PRA, Level II,111 Equipment Table 19.15.6-1 Cor.tainment Spray System Section 19.11.3 PRA, Shutdown Risk System 80+ PRA ,

External Events, Diesel Generators Section 19.15.3.1 SSW Intake Structure Section 19.15.3.1 Fire Barriers Section 19.15.3.2 Flood Barrien Section 19.15.3.3 l Significant PRA-Based Safety Insights Table 19.15-1

\/ Risk Significant SSCs for Consideration in the RAP and Other Section 19.15.6 Activities From Other Sources Equipment Classified As QC-2 Table 3.21 liydrogen Igniters Section 6.2.5 Cavity Flood System Section 6.8.2.2.4 IRWST Screen Section 6.8 I&C Equipment Section 7.1.3B Equipment Specified in 10CFR50.62 Section 7.7.1.1.11 Dedicated Seal Injection System Section 9.3.4.3.1 Containment Cleanliness Section 13.5

4 I

h a t" s 3 P e i 5R %

Management Project +

$ Advisory Board Director E

+

E 7 I-

% E I 2 5

E E Plant h

k As Manager C

3 ,

2 In on C o Projec Ws g,b8,,,ce Menager Manager Manager Er

n l l l l NSSS Reactor Building Balance of Plant Design Manager Design Manager Design Manager Design Manager 1 1 P

m {

g PRA & D-RAP Program Manager n g

S U

E 2 I n

I, o _

g 9 - - - .

9 e '

System 80+ Design controlDocument O !

l RISK SIGNIFICANT ,

SSCs IDENTIFIED SY PRA

SSC REDESIGN SYSTEM C FAULT TREE C OR PROCEDURE e N NGE i

RECALCULATION 1 f RELIABILITY ASSESSMENT ARE PRA RESULTS '

YES SIGNIFICANTLY CHANGED YES IN DESIGN PNASE:

BY HIGHER FAILURE ARE FAILURE RATES >

THOSE IN PRA? RATE?

NO NOl C\ ,

' i

'U 1 r 18 COMPONENT YES REDESI'iN FEASIBLE YES DOES SSC FAILURE HAVE - .

A LARGE IMPACT ON PRACTK AL AND COST SYSTEM UNAVAILASluTY? EFJECTIVE7 NO NO i

1 f SSCs FOR OPERATIONS RELIABluTY ASSURANCE PROCESS Design Evaluation for SSCs Figure 17.3 2

= = - . . - - , , , , ,

System 80+ Design control oocument O

RISM-SIGNIFICANT SSCs FOR OPERATIONS REUABILfry ASSURANCE PROCESS 1 f ASSESSMENT PATN A YES DOES FAILURE HISTORY :

IDENTIFY CRITICAL FAILURE MODES AT PIECEPART LEVEL 7 NO 1 I 1 r

^

ASSESSMENT PATH B IDENTIFY EXISTING IDENTIFY CRITICAL FAILURE : MAINTENANCE-RELATED MODES AT PIECEPART LEVEL ACTIVITIt!S AND l USING ANALYTICALMETHODS REQUIREMENTS 4

+ f l DEFINE DOMINANT IDENTIFY MAINTENANCE FAILURE MODES TO REQUIREMENTS DEFEND AGAINST I

I I

l

System 80+ Design contrat occument O

INFORMATION NEEDED ASSESSMENT PATH A

. INPUT FROM ACCEPTED 2 DATA ASSESSMENT TO l

INDUSTRY DATA BASES ESTABLISH FAILURE HISTORY

. CONSULTATION WITH KNOWLEDGEABLE 1 ENGINEERING OPERATIONS Y ,

AND MAINTENANCE DETERMINE THE ANALYSIS :

PERSONNEL <

BOUNDARY (INDIVIDUAL

. ROOTCAUSE ANALYSIS COMPONENT, COMPONENT TYPE IN SIMILAR APPLICATIONS, ETC.)

. DESIGN REVIEWS

. SYSTEM WALKDOWNS l l y I

~ l FROM FAILURE HISTORY, J

CONSTRUCT LIST OF FAILURE MODES /CAUSES AT PIECEPART LEVEL I

O IF APPROPRIATE, DEVELOP FAILURE MODE CATEGORIES AND ASSIGN EACH PIECEPART FAILURE TO A CATEGORY OBTAIN OCCURRENCE FREQUENCY OF EACH CATEGORY (OR PIECEPART FAILURE)

DEFINE THE DOMINANT FAILURE MODE LIST FROM DATA CONSIDERATIONS Use of Failure History to Define Failure Modes Figure 17.3-4 AAproW Desip AfaforW OA Proprom page 77,3 23 i

System 80+ Design ControlDocument

-, e NFORMATION NEEDED ASBEftSMENT PATH B

> OUAUTATNE ANAL.YTICAL anesannasNT l V PERFOftM A FAULTTREE OR recErART uus.

Tf V

DENTFY:

e 1E FAR.URES THAT FAILM (AND THAT ARE y

.,_, _ ,_ G.

g THROUGH ORDINARY DEMAND e PIECEPART FAILURES THAT HAVE COMMON CAUSE POTENTIAL. INCLUDMG BY AGNG OR WEAR no ,

4

T'8%"'Ste?9ME2""cc^*'

V FM ANALYSISg 1 1

I Analytical Assessnent to Denne Failure Modes Figure 17.3-5 wn.n. ~ e,., ,.,.,,.s.,

System 80+ Deska controlDocument u

i' MTMM MEMS M DA1td a m e m ry m Asse s aans amenom a peouseueres ; MAmsvesamos PaoenAm Asso yegge -ajungs secuumans sasmoussuens 4

issonoALareers.Aliou rentestmas AcAusnAlines o1 Man 1I smouLA10RY4AAashA1ED amousumens usfALLBengnm8Af00R neouensensAND

- 81300m PRoad 4

AALSouAme 1r resstmou Lsr esto luoes aAAsmusAsene i snousuunns Aas-aitoses AcTUAILY i PLAfsIS Ate THosE1 HAT AM 9007 1 1P 1r summesAans - stry AdmMdLY PLAleem NOT M 1P 1r geooge RATIONALE menose RAvicesALE pas reconnanes roaeserrunnosamNo M MAAuMA80CE fle MAssW848dM 1r 1 F mEBmrY FAEUIE sermYFAEANs MooEs wooes ArroCTED 1807 BY Ano rumoussey or sensmseAssos erAsm t~ l 4

omee n DohedANT PAI,UfE asoces 1

Inclusion of Maintenance Requirements in the Definition of Failure Mgure 17.3-6 ;

Modes 1

MM W MeterW. GA Program p,y, y7,3.g5 1

l l System 80+ Design ControlDocument O

DOMINANT FAILURE MODES OF RISK-SIGNIFICANT SSCs d

i 1 f YES I~

4 DOES SSC REQUIRE SPECIFY REQUIRED 1 PERIODIC TESTING? TESTS l 1 NO .:

i 1 f 1 i

J l

DOES SSC REQUIRE YES m SPECIFY PERFORMANCE TESTING?

- PERFORMANCE MONITORING

_ l G 1 P DOES SSC REQUIRE YES SPECIFY PERIODIC PERIODIC PREVENTIVE PM I MAINTENANCE?

NO m 1 f i DOCUMENT FOR OWNER / OPERATOR MAINTENANCE ACTMTIES AND BASES, PLUS UNCERTAINTIES, FOR THE RISK-SIGN 8DCANT SSCs.

i Identification of Risk-Significant SSC Operations Reliability Assurance Figure 17.3-7 Procas Activities Approved Design Metene!- QA Program Page 17.3-26

i System 80+ Denton contralDocumart i

t i

1-n0rts novrs

.M .ECWetWAT a

< S0WS MEAT s==nem t WWAM M

- - novsm - - Nort48 l

BOWSMap S0WS PURF ,

EWAM1 WWDM1 l

? TO se0WS PactIIe0WS 'g x g -

x . 0,,.

was =0m ,

MOVIA8 HOVS4

.HUTDOWDi ' GNUfDOWS8 DNAT MONA000ER DEAT mm""

884 4 81 818 4 81 MOW 41 NOW48 j t

x <. t p.

d Example of Early CCWS Design Figure 17.3-8 c e o > m.ww. aA prepare p, y7,3y7

System 80+ Des. lgs C ntrd Dminent

= ,+ si a

O 1 IS

$I o

yIS I t :

f It a $ i' l b b iv

,+ ci t 4 -

+9_'l8

+.'.18 i __ i __ - -

i,

_ t, -

Is *r jt GE 11 2 OE 1: 2 = ,4.-ni a o

+'I ' *i'I' . . . .... ......

j ......

...... r ...

I P i r Zji Zli : <

.-3::n O

= ;:8): itir

-0.+-c =

Zi!

Zt!

ZPe Ji' 03 ,O i . M.........

it. M.......=

MISMIS 7_li li7_

.in, ...... ...... ,ie, 4: : : o : :::

I lS ,t 8I hh t .

5 Example of Improved CCWS Design Figure 17.3-9 Approved Design Material . QA Program Page 17.3-28

System 80+ Design ControlDocument i,ll b .,

ii'..I sete <3 .

Ihl

= *q ll. -

eI ll1 i

'i' jii ?' lllI' l ._

0 b i:., .

i ls!

5

!.i i i lh:h ti 1:i' h

,O - ' r r ' '< ccw8 ' ' > r> > >.>-> e Approwd Dea @ Nonedel. QA Program Page 17.3-29

system'so + oeskn contrat oocument

(

't]~- Effective Page Listing Chapter 18 Pages Date i, ii 1/97-lii - vi Original vii - ix 11/96 18.1-1 Original 18.2-1 through 18.2-4 Original 18.31 through 18.34 Original 18.4-1 11/%

18.4-2 through 18.4-15 Original 18.5-1 through 18.5-42 Original

-r)\

18.6-1 through 18.6-35 Original 18.7-1 through 18.7-28 Original

!8.7 29 2/95 18.7-30 through 18.7-47 Original 18.7-48 2/95 18,7-49 through 18.7-89 Original

!8.7-90 2/95 18.7-91 through 18.7 195 Original 18.81 through 18.84 Original 18.9-1 through 18.9-3 Original 18.10-1, 18.10-2 Original

.g.

Anprownt Denipo neeenriel- Nwnen factors Enoneering (13 7) Page L E

System 80+ Design ControlDocument l L i (l Chapter 18 Contents Ad Page 18.0 Human Factors Engineering ................................ 18.1-1 18.1 Introduction . . . . . . . . .................................18.1-1 18.2 Design Team Organization and Responsibilities . . . . . . . . . . . . . . . . . . . . I8.2-1 18.2.1 Nuplex 80 + Design Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . 18.2-1 Nuplex 80+ Design Review Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.2-2 18.2.2 18.3 Design Goals and Design Bases . ............... . . . . . . . . . . . . 18.3- 1 18.3.1 Des ign Goal s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... ... 18.3-1 !

18.3.2 Control Room Staffing and Configuration Design Bases . ....... .... . 18.3-1 I8.3.3 Control Panel Design Bases . . . . . . . . . . . . . . . . . . .............. 18.3-2 18.3.4 Information Presentation and Control Design Bases . . . . ............ . 18.3-3 18.4 Design Process and Application of Human Factors Engineering . . . .... 18.4-1 ;

18.4.1 Design Process Overview . . . . ... ... ..... ....... . ..... 18.4-1 18.4.2 Human Factors Program Plan . ... ... . ... . . ........ .. 18.4-2 .

18.4.3 Operating Experience Review .................... ........... 18.4-4 l 18.4.4 11uman Factors Evaluation and Allocation of System 80+ Functions . . ..... 18.4-4 ;

18.4.5 Functional Task Analysis . . . . . . . . . . . . . . . . . . . ............ .. 18.4-5 ;

18.4.6 Staffing and Configuration Evaluation . . . . . . . . . . . . . . . . . . . . . . . ... 18.4-5 18.4.7 Information Presentation and Panet Design . . . . . . . . . . . . . . . . . . . ... 18.4-6 18.4.8 Control and Monitoring Stations Outside the Main Control Room ... ..... 18.4-7

'18.4.9 Verification and Validation . .. .... ...... .. .............. 18.4-7 18.5 Functional Task Analysis . . . . . . . . ...... ................ . 18.5-1 l 18.5.1 Method . . .................. .............. ... .. . 18.5-1 j 18.5.2 Results ............... ......... .................... 18.5-8 :

18.5.3 Comparison with Experience-Based Instrumentation Requirements . . ...... 18.5-10 !

18.5.4 MCR Annunciator, Display, and Control Inventory . . . . . . . . . . . . . . . . . 18.5-11 !

18.6 Control Room Configuration . . . . . . . . . . . . . . . . . . . . .......... 18.6-1 18.6.1 Definition of Configuration Terms .... . ........ ...... ..... 18.6-1 18.6.2 Operational Requirements and Staffimg Design Bases . . . . . . . . . . . . . . .. 18.6-1 1 18.6.3 Workspace and Configuration liuman Engineering Criteria ....... ... . 18.6-2 18.6.4 Candidate Configuration Evaluation . . . .............. .. .. .... 18.6-3 ;

18.6.5 Nuplex 80+ Control Room Configuration . . . . . .. .. . ... ...... 18.6-5 )

Control Room Environment and Communication . . . . . . . . . . . . . . . . . . . . 18.6-12 18.6.6 18.7 Infonnasion Presentation and Panel Layout Evaluation . . . . . . . ....... 18.7-1 ,

18.7.1 Nuplex 80+ Information Presentation . . . . . . ..... .... ....... . 18.7-1 l 18.7.2 Nuplex 80+ information/ Panel Layout Criteria ..... .............. 18.7-50 18.7.3 RCS Panel Design .................................... . 18.7-60

.Q 18.7.4 Other Nuplex 80+ Panel Designs . . . . . . . . . . . . .......... ..... 18.7-91 J L.)

ANweved Design neehwW . Nwnen Factors Engmeerkg Pope W l L

Sy~ tem 80 + Design ControlDocument Chapter 18 Contents (Cont'd.) g Page 18.8 Control & Monitoring Outside the hiain Control Room ... . .... . 18.8-1 18.8.1 Remote Shutdown Panel . . . . . . .. ... .... ... . . 18.8-1 18.9 Verification and Validation . . . . ... . ... . . . .. 18.9-1 18.9.1 Availability Verification . . . .. ... . . .. .... . 18.9-1 18.9.2 Suitability Verification . .. . . . .. . . ... .. 18.9-2 18.9.3 Validation . ... .. ... . . . .... . ..... 18.9-2 18.10 Documents Used in Licensing Review . . . ... ... .... 18.10-1 Chapter 18 Tables Page 18.2-1 Nuplex 80+ Design Team Composition . . .. . .. .. . 18.2-1 18.2-2 Nuplex 80+ Design Team Responsibilities . .. .. .... 18.2-1 18.2-3 Nuplex 80+ Design Review Team Composition . ... .. .. 18.2-2 18.5.1-1 Task Element Data Form ... ... .. . . .... .. . 18.5-13 18.5.2-1 System 80+ System Function Descriptions . . . . 18.5-14 18.5.2-2 RCS System Purposes and Basic Functions .. . . .. . .. . 18.5-15 18.5.2-3 General System 80+ Component Data . . . . . ....... 18.5-16 18.5.2-4 Reactor Trip Gross Functions and Subfunctions . .... . .. .... 18.5-17 18.5.2-5 Reactor Trip Task Listing . . . . ... . . .. 18.5-19 18.5.2-6 Reactor Trip Task Element Listing . . .. . . . . 18.5-22 18.5.2-7 Reactor Trip Collect Information . . .. .... 18.5-26 18.5.2-8 List of Analyzed RCS Parameters . ..... .. .. 18.5-29 18.5.2-9 Pressurizer Pressure Parameter Uses . . . . . . .... 18.5-30 18.5.2-10 Parameter Sununary for Pressurizer Pressure . . . . . 18.5-32 18.5.2-11 Pressurizer Pressure Characteristics . . .. . .. .. . . 18.5-33 18.5.2-12 Reactor Trip Time Profile .. . . . 18.5-36 18.5.4 1 MCR Minimum Inventory of Fixed Position Annunciators, Displays and Controls . . . . . .. . ... . . .. .. 18.5-40 18.7.1-1 Nuplex 80+ Coding Matrix ... . . .. . .. . 18.7-108 18.7.3-1 RCS Gross Functions and Subfunctions . . . . . . 18.7-110 18.7.3-2 RCS Panel Switch Descriptions .. . .. . 18.7-113 18.7.3-3 RCS Panel Switch Identification . .... . . . 18.7-114 I

l Approved Design Meteriel- Human factors Engmeeting Pagetv l

i System 80+ oestan controt oocument i OJ Chapter 18 Figures Page 18.4-1 Nuplex 80+ Design Process . . . . . . . . . . . . . . ................. 18.4-10 ,

18.4-2 Del eted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........... 18.4-11 18.4-3 Staffing and Configuration Evaluation . . . . . . . . . . . . . . . . . . . . . . ... 18.4-12 >

18.4-4 Information Presentation and Panel Design Analysis .... ............ 18.4-13 18.4-5 Nuplex 80+ Man-Machine Interface Philosophy . . . . . . ............. 18.4-14 18.4-6 Nuplex 80+ information Display Hierarchy ................... .. 18.4-15 .

18.6.4-1 TVA Nuplex 80 Reference Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.6-16 18.6.4-2 Duplication of ACSC Control ............................... 18.6-17 18.6.4-3 Hybrid Control Room (Proximity Plus Duplication) . . . . . . . . . . . . . . . . . . 18.6-18 ,

18.6.4-4 Horseshoe Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 18.6-19 ;

18.6.5-1 Nuplex 80 + Control Room . . . . . . . . .. . . . . . . . . . . . . . . . . . . ..... 18.6-20 i 18.6.5-2 Overall Functional Layout of Nuplex 80+ Control Room . .......... 18.6-21 ;

18.6.5-3 Nuplex 80+ Controlling Workspace . . . ... ................... I8.6-22 .

18.6.5-4 Nuplex 80+' Control Room Configuration . . . . . . . . . . .... . .. . . . 18.6-23 ;

18.6.5-5 Control Room Furnishings . . . . . . . . . . . ................. ... 18.6-24 18.6.5-6 Document Storage Space ......... ........... ..... . .... 18.6-25 !

18.6.5-7 MCC Visibility . . . . . . . . . . . . . . . . . . . . . . . ............. .. 18.6-26 18.6.5 8 ACSC Visibility . . . . . . . . . . . . . . . . . . ............ .. . .. 18.6-27 l CRS Console Visibility . . . . . . . . . . . . . . ......... .......... 18.6-28 18.6.5 18.6.5 10 Controlling Workspace Dimensions . . . . . . . . . . . . . . . . . . . ........ 18.6-29 i (n) 18.6.5 11 18.6.5-12 Nuplex 80 + MCC Panel Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I8.6-30 Nuplex 80+ ACSC Panel Profile . . . . . . . . . . . ...... .......... 18.6-33 j

18.7.1-1 Integrated Information Presentation . . . . . . . . . . . ......... . . . . 18.7-116 18.7.1-2 Integrated Process Status Overview (Typical) . . . . . . . . . . . . . . . . . . . . . 18.7-117 '

18.7.1-3 CRT Display Page Hierarchy . . . . . . . . . . . . . . . . . . . . .. . . . . . . . 18.7-118 18.7.1-4 Display Page Menu Option Region . . . . . . . . . . . . . . ........... . 18.7-119 18.7.1-5 Primary Display Page Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.7-120 18.7.1-6 Display Page Message for Menu Option Support for Parameter on the Display PaE e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.7-121 18.7.1-7 Discrete Indicator with Trend and Menu Formats . . , . . . . . . . . . . . . . . . . 18.7-122 18.7.1-8 Description of Nuplex 80+ Alarm Coding Features . . . . . . . . . . . . . . . . 18.7- 123 18.7.1-9 Al arm Li sting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.7-124

?8.7.1-10 Alarm Tile Panel Display Showing Alarm Tiles and Alarm Message .. .. . 18.7-125 18.7.1-11 Alarm Tile Panel Display Showing Alarm Listing Format . . . . . . . . . . . . 18.7-126 18.7.1-12 Typical ESF Unavailability Monitoring Module . . . . . . . . . . . . . . . . . . 18.7-127 18.7.1-13 Level 1 Critical Function Display Page ......... ....... . . . . . . 18.7-128 18.7.1-14 Level 2 Critical Function Display Page . . . . . . . . . . . . . . . . . . . . . . . 18.7- 12 9 18.7.1-15 Level 3 Critical Function Display Page ............. ...... . .. 18.7-130 18.7.1-16 ' Standardized Format for Process Controller Display . . . . . . . . . . . . . . . 18.7-131 18.7.1-17 Process Controller Display Depicting Selection Options Associated with ,

Master Loop Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18. 7- 13 2 18.7.1 Process Controller Display Depicting Subloop Control Setpoint Selection . . . . 18.7-133 m

x L :.:: Design Asererial Numen Factors Engmeeting Pope v

Sy tem 80+ Design contror Document Chapter 18 Figures (Cont'd.) g Page 18.7.1-19 Process Controller Display Depicting a Typical Operating Mode Selection Display . . .. . ... . ......... .. . . .. 18.7-134 18.7.1-20 Process Controller Display Depicting a Typical Component Selection . . 18.7-135 18.7.1-21 Typical DIAS Multiple Parameter Display with Analog and Trend Formats . . . 18.7-136 18.7.2-1 Control Panel Layout Configuration .. . ..,. .. .. ... . . 18.7-137 18.7.2-2 Symbol List ........ . .... ....... . . . . 18.7-138 18.7.2-3 Pushbutton Information Display Scheme Example . . 18.7-139 18.7.2-4 Deleted .. .. . .... . .. .. . . .. .. . 18.7-140 18.7.3-1 Primary Systems Monitoring Page (Level 1) . .. . .. .... 18.7-141 18.7.3-2 RCS Control Page (Level 2) . .. .... . . .. 18.7-142 18.7.3-3 Pressurizer Pressure Diagnostic Page (Level 3) .. . . . . 18.7-143 18.7.3-4 Pressurizer Level Diagnostic Page (Level 3) .. . . .. . 18.7-144 18.7.3-5 RCS/ Vessel Diagnostic Page (Level 3) . . . . . 18.7-145 18.7.3-6 RCS Temperature Diagnostic Page (Level 3) . . . . . .. . . 18.7-146 18.7.3-7 RCP 1 A/IB Control Page (Level 2) . . . ... . . . 18.7-147 18.7.3-8 RCP 1 A Seal / Cooling Diagnostic Page (Level 3) .. ... . . 18.7-148 18.7.3-9 RCP 1 A Pump, Motor and Oil System Diagnostic Page (Level 3) . . 18.7-149 18.7.3-10 RCP Seal / Bleed Subsystem Diagnostic Page (Level 3) .. 18.7-150 18.7.3-11 Pressurizer Pressure and Level Menu Pages for DIAS . . . 18.7-151 18.7.3-12 Tn, and Tcao Trend Pages for DIAS . . . .. ...... ... . . 18.7-152 18.7.3-13 Tn, and Tcoia Menu Pages for DIAS . . . . . . . ... . 18.7-153 18.7.3 14 RCP Seal / Bleed and RCS DIAS Displays . ... ...... . . . 18.7-154 18.7.3-15 RCP Seal / Bleed and RCS Subcooling Menu Pages . .. . . . . . 18.7-155 18.7.3-16 RCS Pressurizer Temperature Menu Page . .. .. .. .. . 18.7-156 18.7.3 17 RCS Vessel Menu Page . . ... ..... ... .. . . 18.7-157 18.7.3-18 RCS Acoustic Leak Monitoring System Menu Page . .. . 18.7-158 18.7.3-19 RCS D/P Menu Page .. ... .. . .. .... . .. 18.7-159 18.7.3-20 RCP 1 A and 1B Typical Analog Display . . . ... .. ... . 18.7-160 18.7.3-21 RCP 1 A Seal System Menu Page ....... ...... . .. . . 18.7-161 18.7.3-22 RCP 1 A Cooling System Menu Page . . . .. . . 18.7-162 18.7.3-23 RCP 1 A Pump / Motor Menu Page . .. . .. . .. . .. 18.7-163 18.7.3-24 RCP 1A Oil System Menu Page . . . ...... . . . . I8.7-164 18.7.3-25 RCS Panet Switches . ...... ....... . . .. .. . 18.7-165 I

18.7.3-26 Pressurizer Pressure Controller Depicting Pressurizer Pressure Setpoint Display . ... ............ .... . . . . .. 18.7-166 18.7.3-27 Pressurizer Pressure Controller Depicting Pressurizer Signal Sources Selection .... . . . . . . . . . ........ . .. . ..... 18.7-167 ,

18.7.3-28 Pressurizer Pressure Controller Depicting Heater Output Control ..... 18.7-168 ;

18.7.3-29 Pressurizer Pressure Controller Depicting Spray Output Control . . . . 18.7-169 18.7.3-30 Pressurizer Pressure Controller Depicting Proportional Heater Control . 18.7-170 I

l Alvvoved Design Matenal . Human feetors Engineering Page vi

4 Sy* tem 80 + D~ sign Contm' Document I], Chapter 18 Figures (Cont'd.)

Page I8.7.3-31 Pressurizer Pressure Controller Depicting Spray Valve Control . . . . . . .. . 18.7 171 18.7.3-32 Seal injection Controller Temperature Output Demand Control .. ...... 18.'l-172 18.7.3-33 Seal Injection Controller Temperature Setpoint Adjustment ... .... .. 18.7-173 18.7.3-34 Seal Injection Controller Flow Setpoint Adjustment . . . . . . . . ... ..... 18.7-174 18.7.3-35 Seal Injection Controller Flow Output Demand . . . . . . . . . . . . . . . . . . . . . 18.7-175 18.7.3-36 RCS and Operator Established Alarm Tiles . . . . . . . . . . . . . . . ...... 18.7-176 18.7.3-37 RCP and Scal / Bleed Alarm Tiles .................. ......... 18.7-177 18.7.3-38 Time Sequential Alarm Page . . .... ........ . .... ....... 18.7-178 .

I8.7.3-39 RCS Panel / Layout .... .. .......... ..... ..... . .... 18.7-179 18.7.4-1 CVCS Panel Layout .......... ................ . .... 18.7-180 ,

18.7.4-2 Plant Monitoring and Control Panel Layout . . . . . . . . . . . . . . . . . . .... 18.7-181 18.7.4-3 Feedwater and Condensate Panel Layout . . . . . . . . . . . . ...... .... 18.7-182 18.7.4-4 Turbine Control Panel Layout .... .... ... ........ . . ... 18.7-183 18.7.4-5 Safety Monitoring Panel Layout . . . . . . . . . . . .. .. ...... .... 18.7-184 18.7.4-6 Engineered Safety Feature Panel Layout ... ......... .. ....... 18.7-185 18.7.4-7 Cooling Water Panel Layout .... ..... ...... . ....... 18.7-186 18.7.4-8 Secondary Cycle Panel Layout . . . .. ............. . ... I8.7-187 i 18.7.4-9 Electrical Distribution Panel Layout . ..... . . . . . . . ..... .. 18.7-188 l 18.7.4-10 Switchyard Panel Layout ........................ . .... . 18.7-189 e 18.7.4-11 Heating and Ventilation Panel Layout .............. .... ..... 18.7-190 18.7.4-12 Fire Protection Panel Layout . . . . . . . . . . . . . . . . . . . .. ..... ... 18.7-191 18.7.4-13 CRS Console Layout . ......... . . . . . . . . . . . . . . . . . . . . . . . 18. 7- 192 l 18.7.4-14 CRS Desk Layout . ....... .. .. .............. ...... 18.7-195 l 18.8-1 Remote Shutdown Panel Layout . . . . . . . . . . . . . . . . . . . . . ...... . 18.8-4 Chapter 18 Abbreviations l l

AC Auxiliary Console ,

ACC Advanced Control Complex j ACSC Auxiliary Console and Safety Console i A/E Architect Engineer l ALWR Advanced Light Water Reactor I ANPP Arizona Nuclear Power Plant I APS Alternate Protection System i ARO Assistant Reactor Operator l BOP Balance of Plant I CCS Component Control System j CCWS Component Cooling Water System i CEA Control Element Assembly CEDMCS Control Element Drive Mechanism Control System l CEDM Control Element Drive Mechanism !

n CEOG Combustion Engineering Owners Group Q CFMS COL Critical Functionc Monitoring System Combined Operating License

. COLSS Core Operating Limit Supervisory System ;

i Approvent Deenyn Ataterliet- hmen factws Enpmeering (11/961 Pope v6 i

Sy~ tem 80 + Design ControlDocument Chapter 18 Abbreviations (Cont'd.) $

CPC Core Protection Calculator CRS Control Room Supervisor CRT Cathode Ray Tube CVCS Chemical & Volume Control System DCRDR Detailed Control Room Design Review DIAS Discrete Indication and Alaim System DPS Data Processing System EOF Emergency Operations Facility EOG Emergency Operations Guidelines ESF Engineered Safety Features ESFAS Engineered Safety Features Actuation System FTA Functional Task Analysis liF 11uman Factors life iluman Factors Engineering HFPP liuman Factors Program Plan IIFESGB Human Factors Engineering Standards, Guidelines, and Bases for System 80+

}{Si llaman System Interface .

IIVAC lleating, Ventilation and Air Conditioning I&C Instrumentation and Controls ICR Information and Control Requirements IPSO Integrated Process Status Overview LCS Local Control Stations

! LOCA Loss of Coolant Accident MCC Master Control Console MCR Main Control Room MDS Megawatt Demand Setter MOV Motor Operated Valve NEO Nuclear Equipment Operator NRC Nuclear Regulatory Commission NSSS Nuclear Steam Supply System P&lD Piping and Instrument Diagram PAMI Post Accident Monitoring Instrumentation PPS Plant Protection System RPCS Reactor Power Cutback System RCP Reactor Coolant Pump RCS Reactor Coolant System RO Reactor Operator RPS Reactor Protective System RRS Reactor Regulating System RSP Remote Shutdown Panel RT Reaction Time RTSG Reactor Trip Switchgear SC Safety Console SG Steam Generators SPDS Safety Parameter Display System SPMS Success Path Monitoring System SRO Senior Reactor Operator SS- Shift Supervisor Approved Design Material . Hurnen factors Engkreereg (11/96) Pope vill

Ahstem 80+ ^ Design Control Documarrt .

Chapter 18 Abbreviations (Cont'd.)

SSWS Station Service Water System STA Shift Technical Advisor TOl Tracking-of-Open Issues TSC Technical Support Center TLC Trip Logic Calculator VCT Volume Control Tank V&V Verification and Validation VDU Video Display Unit I

O

- - - ~ . . n1/961 rene u

i System' 80 + Deskn ContmlDocument ,

t O is.. n - r cior. z -i=-=<: I

~

18.1 Introduction l

This chapter damman*= the application of Human Factors Engineering (HFE) to the Nuplex 80+= m Advanced Control Complex (ACC) design process to address relevant parts of General Design Criterion 19 of 10 CFR 50, Appendix A. This chapter demonstrates that accepted human engineering design principles and criteria have been applied to the design of the Nuplex 80+ ACC and the System 80+= m Human System interface (HSI) to assure safe operation of the System 80+ plant. The chapter has been structured to provide documentation meeting the recommendations of Chapter 18 of the Standard Review l Plan (NUREG-0800).

4 The Nuplex 80+ Advanced Control Complex (ACC) is an integral part of the System 80+ Standard l Design. System 80+ is an evolutionary upgrade of a successful, proven design. Changes in plant

function are few, and have been made to improve performance or mitigate known problems. - Many of i these improvements reflect the results of operating experience and industry studies in a variety of i

l. '

3 disciplines, including human factors. There is no difference between the breadth of information in

' System 80 and the System 80+ control rooms. The ABB/CENP response to DSER Open Item 18.8-1 (Section 18.4, Reference 11) provides a more detailed discussion of how human engineering systems :

analysis is addressed in the System 80+/Nuplex 80+ design process. The ABB/CENP response to Open !

Item 18.8.2 in Reference 11 provides a more detailed discussion of the impact of human performance on l the breadth of information between System 80 and System 80+ control rooms.

The Nuplex 80+ design has evolved from the Nuplex 80 ACC reference design. Nuplex 80 was developed between 1974 and 1979 for the TVA Yellow Creek units through a joint C-E and TVA development effort. A primary design objective of the Nuplex 80 ACC was to assure adequate operator comprehension in the control room through incorporation of HFE principles throughout the design i process, establishing operator needs through a Functional Task Analysis and us~mg significant utility and I operator input to optimize information display systems. Another design objective was to assure acceptable maintenance times and reliability by using a systems approach to the .ACC. Information on ;

the control panels was primarily CRT-based with backup hardwired indicators and alarms for accident mitigation and startup/ shutdown functions. Analog process control systems and a digital component control system provided the required control. The Nuplex 80 design effort resulted in a documented reference design in 1980.

The Nuplex 80+ design has evolved from the Nuplex 80 reference, with specific modifications to incorporate current HFE principles and meet recent regulatory requirements. HSI improvements for Nuplex 80+ include plant overview display, acceptable alarm presentation and handling, continued plant operation with loss of either one of two diverse information display systems.. integration of normal and accident monitoring displays, and using information presentation methods to achieve required operator information processing. An overview of the Nuplex 80+ ACC is provided in Section 1.2.6. A description of the Instmmentation and Controls safety aspects of Nuplex 80+ is provided in Chapter 7.

. Section 18.4 provides an overview of the HSI design process, with detailed methods and results being provided in Section 18.5 through 18.9.

~t System 80+ and Nuplex 80+ are tradernarks of Combustion Engineering, Inc.

. Anwww aseen aseender. Munsa reesers spheers, reee is.r.1

- . . ...= a

System 80 + . Denien canaret Document

'18.2 Design Team Organization and Responsibilities The Nuplex 80+ ACC was designed by a multi-disciplinary team. This design team included human f I

factors specialists, systems engineers, Instrumentation and Controls GAC) engineers, and senior reactor operators. The design team was responsible for development of standard Nuplex 80+ methodologies and l criteria, implementation of those methodologies and criteria in the ACC design, and development of ADM documentation. Many members of the man-machine interface design team were also responsible for I&C system designs de==M in Chapter 7. This provided close integration of the man-machine -

interface with the I&C system designs.

A Nuplex 80+ design review team, separate from the design team was formed, comprised of personnel from a variety of organizations and disciplines within C-E. This team included Duke Power Company personnel, to provide nuclear plant construction and operation perspectives. The design review team was !

responsible for the review of Nuplex 80+ documentation, and participation in design review meetings !

related to key Nuplex 80+ developments. l i

J 18.2.1 Nuplex 80+ Design Team i

The Nuplex 80+ design team was comprised of a core of individuals from within the Advanced j Instrumentation Design (AID) group of the Instrumentation and Controls Engineering (I&CE) depanment. j Individuals from other organizations, were included in the design group where other areas of expertise were required. Table 18.2-1 identifies the disciplines and number of individuals in each discipline ;

i represented on the Nuplex 80+ design team. Note that individuals who worked on the design team essentially full-time are separated from those who have made significant contributions to the Nuplex 80+

design as part-time members of the team. This cross section of disciplines provided a broad technical base from which the various facets of the advanced control room were designed and evaluated. j Table 18.2-2 lists the major activities related to HFE in the Nuplex 80+ design process. The disciplines I

of the design team member (s) who had primary responsibility for each activity are indicated. In many activities individuals from different disciplines had primary responsibility for different facets of a design j i

activity. For example, three disciplines shared primary responsibility for the RCS panel design and corresponding VDU display development. The senior reactor operator developed the panel layout, related !

VDU display functional designs and required processing algorithms. Computer specialists built the VDU displays and programmed the algorithms. An HFE specialist assured that the panel, VDU displays and l processing met human factors criteria. In other activities such as the development of the standard HSI methods, multiple individuals in each discipline shared primary responsibility for development of different l interface devices. Though responsibility for the design activities was assigned to specific disciplines, all ;

members of the design team were responsible for review and comment on each Nuplex 80+ design !

activity and its documentation. !

i Human factors is integrated throughout the production process by all design team members. The HFE Standards, Guidelines, and Bases that are part of the Human Factors Program Plan for System 80+ l apply, u appropriate, to all System 80+ system and equipment designs built by ABB Combustion .

_ Engineering and its subcontractors.

Job descriptions for the following HSI Design team members are found in (Section 18.4 Reference 9): l Manager, Advanced Reactor lastrumentation and Control O&C); Technical Supervisor, Control Complex ;

Engineering; Consulting Engineer, HFE O&C Department); Lead Engineer, HFE (Services Department); )

9 Senior Engineer, HFE (Services Depamnent); Consulag Engineer, I&C; Lead Engineer, I&C/HF; Lead l Amroeed Destpre sesserad Nmme receses Anp6iserty rope is.2-r l i

l l

j System 80+ Design ControlDocument Engineer, I&C/HF/ Operations; Consulting Engineer, I&C/ Operations; Technical Supervisor, I&C; Consulting Engineer,1&C; and A/E Liaison and Operations Expert, Duke Engineering and Services.

The HSI design team possesses the following technical expertise: technical project management, nuclear engineering, I&C engineering, HF engineering, nuclear power plant operations, computer l systems / software engineering, systems engineering, architectural engineering, nuclear power plant procedures development, personnel training / systems approach to training, systems safety engineering, and j Reliability, Availability, Maintainability, and Inspectability engineering. l The Nuplex 80+ design team has evolved from the original design team described here. The Human Factors Program Plan (Section 18.4 Reference 4) describes the design team composition, activities and responsibilities in more detail.

18.2.2 Nuplex 80+ Design Review Team Early in the design process a Nuplex 80+ design review team was established to review the Nuplex 80+

design developments from a wide variety of engineering perspectives. The disciplines represented on the design review team are listed in Table 18.2-3. Each member was responsible for reviewing Nuplex 80+ human factors related documentation and providing comments based on impact to their area of expertise. Design review team members also attended regularly scheduled cesign review meetings for in<iepth discussion of key Nuplex 80+ developments. Significant comments made by design review team members were documented and formally resolved by design team members.

The Nuplex 80+ design review process has evolved from the design review process described here. The Human Factors Program Plan (see Section 18.4, Reference 4) and Section 18.4.2 describes the design review process in more detail.

The majority of HFE decisions are made at the technical level and resolved through review and consensus at review meetings. Decisions that cannot be resolved are brought to the attention of management for them to resolve. An external design review team reviews design developments and the work of the HSI Design Team. Specifically, the external team reviews documents and results of meetings produced by the Team. The HSI Design Team uses project documentation as the primary tool to accomplish their work. These include plans, system descriptions, human factors standards and guidelines, verification repons, task analysis reports, and panel design reports. Other tools include design review meetings results that are documented through internal memoranda and the computerized tracking-of-open-issues data base which includes human factors efforts.

4 O

Anwoved Design Materiet - Human factors Engineerkg Page 18.2 2

System 80+ oeslan controlDocument r

i

\ Table 18.2-1 Nuplex 80+ Design Team Composition Discipline Full-Time Members Part-Time Members' I

Human Factors Specialists 1 2 Nuclear Systems Engineers 2 2 1

Senior Reactor Operators 1 I&C Engineers 4 1 3 1 Computer Specialists 1

Project Managers 1 Table 18.2-2 Nuplex 80+ Design Team Responsibilities Design Process Activities Primary Responsibilities Design Process Development Project Manager Nuclear Systems Engineer Design Bases Nuclear Systems Engineer Functional Task Analysis HFE Specialist Nuclear Systems Engineer ;

k Control Room Configuration Assessment Nuclear Systems Engineer l

Senior Reactor Operator HFE Specialist Standard Man-Machine laterface Methods I&C Engineers Computer Specialist HFE Specialist Panel Design Criteria HFE Specialist Nuclear Systems &gineer RCS Panel Design & VDU Displays Senior Reactor Operator Computer Specialist HFE Specialist Control Stations Outside the Main Control Room Nuclear Systems Engineer Verification & Validation HFE Specialist Senior Reactor Operator ,

l l

O V

These individuals contributed significantly to the Nuplex 80+ design but were not full-time members of the design team.

Annreved Design hiesonal- Human factors Ernemeermy Pege 18.2 3 i

System 80+ Design ControlDocument Table 18.2-3 Nuplex 80+ Design Review Team Composition Reactor Engineering Fluid Systems and Component Engineering Stanup Engineering Nuclear Licensing Instrumentation and Controls Engineering Human Factors Engineering Plant Operation and Construction 0

0 l

AMwoM Desyn Meterial hman Factors EH page 18.24 i

i System 80+ Dengan controlDoewnent i

1 18.3 Design Goals and Design Bases The first step in the process of designing the HSI for the System 80+ Standard Design was to establish design goals and the supporting design bases. These goals and bases were generated from the Nuplex !

80+ Man-Machine Interface philosophy established from the factors indicated in Figure 18.4-5 (refer to !

Section 18.4). The Nuplex 80+ design goals are presented in Section 18.3.1. Excerpts from the l' Nuplex 80+ design bases are organized into the following sections- i 18.3.2 Control Room Staffing'and Configuration Design Bases l 18.3.3 ' Control Panels Design Bases 18.3.4 Information Presentation and Control Design Bases :

t The Nuplex 80+ design bases are detailed in the Nuplex 80+ Advanced Control Complex Design Bases l i

(Section 18.4, Reference 10). These goals and bases have been refined to comply with the HFE Program '

Review Model (Section 18.4, Reference 4 describes them in more detail.)

18.3.1 Design Goals The design goals for the Nuplex 80+ human-machine interface are:

e Build the Nuplex 80+ man-machine interface on the human engineering principles established !

for Nuplex 80 and include specific improvements to further enhance the HSI. j e Accomma@e anticipated operating staff requirements for future plants.

e Integrate NSSS and balance of plant systems into a unified control complex design.

e Ensure adequate reliability of the HSI through redundancy, segmentation, and diversity, e Meet all current regulatory criteria relating to the HSI.

18.3.2 Control Roosa Staffing and Configuration Design Bases The following design bases relate to the Nuplex 80+ control room staffing and configuration:

e The Nuplex 80+ control room

provides adequate workspace for the following operating staff i during both normal and emergency operations:

Title C-- ""- ::on 1 Shift Supervisor (SS) SRO 1- Control Room Supervisor (CRS) SRO 3 Assistant Reactor Operators (AROs) RO 1 Shift Technical Advisor (STA) 2 Nuclear Equipment Operators (NEOs)

E

Control room' refers 'to the entire room which contains both the controlling workspace (i.e., between the control panels) and personnel offices and other workstations outside the controlling workspace.

AggrowdDesgn Afseerdsf a Mwnan Focaers Aghoor64F Page 78.J-F

System 80+ Design ControlDocument

The design basis control room staffing when the unit is operating (in an operational mode other than cold shutdown or refueling) is as follows:

- a minimum of I licensed operator (e.g., RO) at the controls in the controlling workspace (per Regulatory Guide 1.114), and

- a minimum of 1 SRO with direct and prompt access to the controlling workspace. This SRO will be in the control room vital area (e.g., CRS office, document room) and within sight or audible range of the RO at the controls, or within audible range of the control room annunciators. This provides a minimum of 2 operators, one of which is an SRO (e.g., CRS, SS) available to the controlling workspace.

- 1 additional licensed operator (e.g., RO, SRO) available within four minutes of a reactor trip or when called upon to support emergency or other operations. This provides an available controlling workspace complement of 3 operators, one of which is an SRO (e.g., CRS, SS) when needed.

The Nuplex 80+ controlling workspace (Figure 18.6.5-3)is equivalent to the " Surveillance Area" of Regulatory Guide 1.114. The controlling workspace allows operation by a single operator between hot standby and full power and accommodates a control room supervisor and two assistant reactor operators during normal operation if desired.

The Nuplex 80+ ACC configuration minimizes required access to the controlling workspace for non-operating staff during both normal and emergency operation.

The Nuplex 80+ configuration provides a workstation for a control room supervisor within the controlling workspace to allow coordination of activities.

The control room configuration allows visibility of a " big board" overview display from all locations within the controlling workspace and from control room offices.

The control room configuration integrates facilities such as the offices for operations and support personnel and the Technical Support Center (TSC) into the control room design. The shift supervisor and the control room supervisor are provided enclosed offices within the control room with full view of the controlling workspace. Enclosed areas for shift clerical work and tag out processing are provided in the main control room outside the controlling workspace. In addition to its emergency response function, the TSC is utilized to accommodate visitors, allowing full visibility of control room activities without interference with operations personnel. The control room security area defined in items I and J of Appendix 13A, Section 2.2 is equivalent to the

" Control Room Vital Area" of Regulatory Guide 1.114.

The design of the Nuplex 80+ control room will accomodate the COL Applicant's meeting the requirements of 10 CFR 50.54(k) and (m), and Regulatory Guide 1.114.

18.3.3 Control Panel Design Bases The following design bases relate to design of the Nuplex 80+ control panels:

Important parameter and alarm information determined by the Functional Task Analysis is presented at spatially dedicated locations on the control panels for quick operator reference.

Approved Design Motorial- Human factors Engbeerksg Page 18.3-2

Svstem 60+ Declan contrar oceament e Sit-dc,wn workstations are provided for all frequently ecM monitoring and control functions, and are designed for use by either seated or standing operators. Stand-up panels accon...Wste infrequent operator tasks.

e- Monitoring and control outside the main control room are designed with man' machine interfaces based on HFE principles and features consistent with the main control room. ,

1 e If the control room becomes uninhabitable, sufficient instmmentation and controls are provided i at the Remote Shutdown Panel (RSP) to:

1. achieve and safely maintain hot standby conditions

2. achieve and maintain cold shutdown through controls located at the RSP and/or controls distributed at equipment locations and use of appropriate procedures.

J e- . The control room man-machine interface is verified and validated according to accepted HFE i principles (e.g., NUREG-0700) in accordance with the HFE Verification and Validation Plan !

(Section 18.4 Reference 3).

18.3.4 Informatian Pr===d=* ion and Control Design Bases I d .

The following design bases relate to the Nuplex 80+ information presentation and control methods

i L . .

i

, e The man-machine interface is based on accepted human engineering methods, principles and

' - criteria such as those presented in NUREG-0700. An FTA and a control room validation are included in the human engineering activities. l t

e Alarms and displays are presented in a unified information presentation. Redundant and diverse j

. infcrmation sources are provided without use of " backup" displays or alarms which are only used during accidents. Information presented through conventional methods and VDUs is integrated. i The information sources used during an accident are the same information sources used normally. [

a e The number of physical display devices and the quantity of redundant data presented to the. '

{ operator are reduced compared to control rooms for current generation plants.

1 e Information processing and presentation methods assure acceptable operator information inventory t through the use of parameter validation, mode and equipment status dependent logic and setpoints i and prioritization of information.

e The effectiveness of modern man-machine interface devices is demonstrated through the use of f

prototypes and HFE evaluations. j 1

.o Information is processed and presented via two independent and diverse (yet integrated) display j systems. Failure of indications and alarms in either system will not prevent: l

1. continued plant operation (for up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ) fg 2. achieving cold shutdown

3. accident monitoring Amromt 8seta a8essedef massa Feesses Ans6essaha Aspe is.34 i'

System 80+ Desi.gn ControlDocument Under degraded conditions operators will continue to have access to all required inic.mation.

Equipment failures impacting automated data processing and presentation features are accommodated by increased operator surveillance.

All applicable qualification criteria for safety related display information are met for a System 80+ set of Type A variables and the PWR Types B, C, D and E variables listed in Regulatory Guide 1.97.

Plant overview information, visible throughout the centrol room, is continuously displayed to 1 provide the !9rmition that an operator or control room supervisor requires to quickly assess overall plant status, i

Advanced display techniques are integrated into the man-machine interface so that their operational benefit is provided without requiring stand-alone computer systems. The NUREG-0696 and NUREG4737 (Supplement 1) requirements for a Safety Parameter Display System are met by the Nuplex 80+ information presentation methods. Similarly, the Nuplex 80+ displays accommodate Regulatory Guide 1.47 requirements for safety system status monitoring.

A standard set of information presentation methods is used throughout the control complex. A standard set of display and access conventions is applied for all information presentation methods.

Critical functions established for both safety and power production serve as a primary basis for information and alarm presentation. i O\

i O'

Astroved Design Motorial Human Factors Engeseerb19 Page 18.34

Svstem 80+ onefan canaret Document i 18.4 Design Process and Application of Human Factors Engineering l 18.4.1 Design Process Overview

'Ihe Nuplex 80+ ACC was designed using a structured design process. HFE methods, principles and criteria have been systematically applied throughout the Nuplex 80+ HSI design process. This section describes the overall Nuplex 80+ HSI design process and indicates the key applications of HFE in that

~

process. Specific methodologies, evaluations, analyses and results are presented in the remaining Chapter. i 18 sections. Note that this chapter documents only the direct HSI considerations of ACC design.

Instrumentation and control considerations related to systems implementation outside of the control panels -

- and work stations are provided in Chapter 7. ;

The Nuplex 80+ HSI design process is described in terms of seven primary activities. These are: (1) l Human Factors Program Plan (Reference 4); (2) the Operating Experience Review; (Reference 1); (3) the Human Factors Evaluation and Allocation of System 80+ Functions, (Reference 7); (4) the System

.80+ FTA: (5) the staffing and configuration evaluation; (6) the information presentation and panel l

. design; and (7) the HFE verification and validation. These activities are depicted in Figure 18.4-1. The Human Factors Program Plan specifies the elements of the program and explains how the elements are managed; The Operating Experience Review describes the activities performed for Nuplex 80+ in the >

early phases of the program to identify past problems and " lessons learned", so that they may be avoided !

or retained if appropriate. The Human Factors Evaluation and Allocation of System 80+ functions explains how System 80+ conforms to the existmg Critical Functions framework to meet the applicable j

, requirements and intentions ofindustry guidance for plant safety and emergency operations. The System '

'O 80+ functional task analysis analyzes plant 7-a~e by identifying operator functions and tasks. This allows development of information and control characteristics requirements. The staffing and configuration evaluation (1) established operator staffing targets, (2) selected a control room configuration based on the analysis of candidate configurations using accepted HFE principles, and (3) developed ACC environmental and communications criteria. The information presentation and panel design established

standard HSI methods and panel design criteria, and developed algorithms for alarm and parameter validation processing. The HFE Verification and Validation demonstrates the availability and suitability of information and control features, and the useability of the ensemble of features to perform operator

functions in the control room.

The detailed description of the Reactor Coolant System (RCS) panel is submitted to demonstrate the application of the standard methods. Descriptions of the other Main Control Room and Remote Shutdown Room Nuplex 80+ panels are also presented.

The Nuplex 80+ human factors approach described in this chapter allows for certification of the complete System 80+ ACC. The approach provides documentation of all human factors engineenng applications in the Nuplex 80+ design process and provides a detailed description of the implementation results. The Nuplex 80+ human factors approach is based on developing standard features for presenting information and providing control in the advanced control room. The standard methods are u x1 for all Nuplex 80+

panels as compared to existing plant designs where individual panels have unique features. All human factors criteria and n=*h=4 used in the above activities are documented.

Each of the design activities is described in sufficient detail, with supporting documentation where neaanry, to allow NRC certification of the Nuplex 80+ dcsign methods and criteria. The detailed h) k submittal of the Nuplex 80+ RCS panel demonstrates the implementation results of the Nuplex 80+

4pmeneep nennenw. Nunen Feceers Engheerty (11/96) Pope pa.4 1

System 80+ Design ControlDocument methods and criteria. These provide the NRC with sufficient design resalts to approve the implementation of the HFE approach criteria and methods and allow certification of the complete System 80+ ACC standard design.

The following sections discuss each of the activities in the Nuplex 80+ design process in more detail.

18.4.2 Ihnnan Factors Program Plan

((Ihe Human Factors Program Plan (HFPP) (Reference 4 of Section 18.4)for System 80+])1 describes the Human Factors Engineering (HFE) program for the System 80+ Standard Plant design, specifies t6 elements of the program, and explains how the elements are managed. The document identifies;

1) Human Factors (HF) activities performed for the project to date;

2) HF activities to be performed as part of the ongoing System 80+ Standard Plant design program;

3) Requirements on HF activities (Appendix A of Reference 4).

The document provides a consolidated basis for review of ABB-CE's human factors plans and progress.

It presents activities and products completed as design practices which will be repeated, as specified, in l the future design and construction of the plant. Activities and products cover the design of the Nuplex 80+ advanced control complex, as well as related HSI considerations for the balance of the System 80+

standard plant design. (System 80+ refers to the entire plant including the Nuplex 80+ control complex, and all local control stations.) Thus the HFPP provides a complete program for HSI development. l The HFPP has two major components. The first part is the main body of the document. This provides the review of HF activities performed by the project to date, and the plans for HF activities to be performed by the ongoing design program. The second part, Appendix A, provides goals, requirements, and criteria for these activities, along with their supporting bases and references. These two components must be considered together in the use and evaluation of the Plan. l Some of the major issues addressed in the main body of the HFPP include: (1) how the generic Human- l Centered Design Goals identified in the NRC Program Review Model(Reference 2 of Section 18.4) are i addressed; (2) a description and discussion of the analyses and less-structured evaluations the design team j has performed and planned to perform as part of the Nuplex 80+ HSI design process; and (3) HFE Schedule.

l (1) The following six generic Human-Centered Design Goals identified in the NRC Program Review model are addressed in the HFPP (Section 1.2.2.2 of Reference 4):

1. System-defined Criteria

2. Function Allocation 1

3. Situational Awareness l

' NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction O

Section 3.5.

i Appramt Destyrt Materio! hmen factors Engmeering Page 18.4-2 l

System 80+ Desian controlDocument p

' ye 4,5. Perceptual and Cognitive Loading

6. Operator Error.

(2) The design team has performed and plans to perform a number of analyses and evaluations as part of the Nuplex 80+ HSI design process including the following:

Analyses and Evaluations Contributing to the Nuplex 80+ Design

Results of previous system operational knowledge.

Functional Task Analysis. (See Sections 18.4.5 and 18.5)

Staffing and Configuration Evaluation. (See Section 18.4.6)

Information Presentation and Panel Design Evaluation. (See Section 18.4.7/

Verification and Validation. (See Sections 18.4.9 and 18.9)

Alarm Analyses and Evaluations

Halden Reactor Studies i

l O Fdure Human Factors Activities V

Final Human Factors Standards, Guidelines, and Bases f

Full Scale Mockup Activ!!ies

Prototyping

Verification Activities

Further Task Analysis ]

Static Mock-Up Evaluations

Validation Activities (3) The liFPP provides a qualitative schedule based on design phases. This schedule specifies the general sequence in which HFE activities will be performed.

Appendix A of the HFPP states human factors-related goals, requirements, criteria, and bases for the Nuplex 80+ HSI design process. These specifications have been developed based on similar industrial, regulatory, and military models. A design process that conforms to these specifications satisfies Federal Regulations and NRC Requirements, as well as the need for formal and systematic HSI design. ,

[( The design process elements, which are detailed in Appendix A of the HFPP are as follows:

Approved W hinteriel- kneers facters Eregireeerweg Page 18.4-3

1 System 80+ Design ControlDocument

1. HFE Program Management

2. Incorporation of Industry Experience

3. Evaluation and Allocation of System Functions

4. Task Analysis

5. Human-System Interface Design

6. Availability Verification

7. Suitability Verification

8. Design Validation A Tracking-of-Open-Issues function is provided to ensure disposition of HFE issues formally raised during the design, construction, analyses, and evaluations. The Tracking-of- Open-Issues function is part of the performed HFPP. The function is dedicated to tracking human factors issues. It is a long-term, full-scope tracking method. Appendix A of the HFPP provides specific requirements for the Tracking-of-Open-Issues function in Section A.3.1.2.4.

18.4.3 Operating Experience Review The purpose of the Operating Experience Review (Reference 1) was to fulfill Element 2, Operating Experience Review of the NRC Program Review Model (Reference 2). The Operating Experience Review describes the Operating Experience Review activities performed for Nuplex 80+ in the early phases of this program including: identification of past problems and " lessons learned" for the control room, remote shutdown panel, and local control stations; and the strengths and weaknesses encountered in similar systems of previous designs so that they may be revised or retained as appropriate.

The Operating Experience Review identifies numerous sources of past problems and " lessons learned" and provides Nuplex 80+ design guidance derived wholly or partially from these sources. For es.ch of the issues identified in the design guidance of the report a design resolution is provided. Identified HFE issues that are currently unresolved (i.e., HFE open issues) are ents rA into the HFE Tracking-of-Open issues data base.

The guidance and associated Nuplex 80+ design resolutions in the Operating Experience Review apply to the entire Nuplex 80+ design including the Main Control Room (MCR), Remote Shutdown Room (RSR) and those local control stations identified in the Emergency Operations Guidelines.

18.4.4 Human Factors Evaluation and Allocation of System 80+ Functions The purpose of the Human Factors Evaluation and Allocation of System 80+ Functions (Reference 7) is to explain how System 80+ conforms to the existing Critical Functions framework to meet the applicable requirements and intentions of industry guidance for plant safety and emergency operations.

The report identifies:

Requirements and guidelines applicable to the :ssues of functional analysis and allocation; Approved Design Matumiel- Human Factors Engirteering Page 18.4-4

1 System 80+ Dosisn ConkelDocument e The ABB-CE plant operators' role as it has evolved and culminated in System 80+, with an emphasis on safety functions; and e How System 80+ nwets the applicable safety-related requirements.

The report responds to the requirements of the ABB-CE Human Factors Program Plan (Reference 4, ;

Section A-3.3). In addition, it addresses Elements 3 and 4 of the HFE Program Review Model (Reference 2).

A review of the federal regulations, industry standards, and regulatory guidelines and criteria applicable '

to the allocation of control and safety functions in the System 80+ design was performed. After reviewing these requirements and resulting design endria, it is evident that the general goal has been to remove the need for the operator to respond with imnydiate control actions at the onset of events. This approach increases reliability of overall system protective actions by 1) reducing reliance on sustained human vigilance, and 2) reducing time stress on human performance, which induces errors. Further allocation decisions tend to be based on experience and precedent.

Manual and automatic allocations in safety system critical functions and success paths are identified in ,

the Human Factors Evaluation and Allocation of System 80+ functions report. The analysis assumes that existing plants of similar design (e.g. System 80) with extensive, successful operating histories are a valid point of reference to evaluate evolutionary changes and improvements. The results and ,

conclusions of the report are summarized as follows:

1. Significant allocation concerns specified in prior generations of ABB-CE plants have been O addressed.

i

2. System 80+ meets all safety-related requirements for allocation of function.

3. System 80+ provides improvements through revised allocations in areas of known concern to operator performance.

4. Evaluation of the interaction between the human and machine elements of the plant control system, and resolution of specific problems identified, will continue as part of Task Analysis, PRA, Verification & Validation, and procedure development activities.

18.4.5 Functional Task Analysis Functional Task Analysis (FTA) is performed for the System 80+ plant as a formal part of the Nuplex 80+ ACC design process and Human Factors Program Plan (HFPP). FTA is a means to ensure that necessary operator tasks can be successfully performed. The FTA approach functionally decomposes the physical plant and its operations so that procedural tasks and decision processing can be analyzed independent of particular hardware implementations.

A detailed discussion of the functional task analysis methodology and results is provided in References 1 and 2 of Section 18.5.

18.4.6 Stamng and ConAguration Evaluation The control room staffing and configuration evaluation established a Nuplex 80+ staffing target, defined a control room configuration, and established the environmental and communications criteria which the ovond owir, anemw- nana, rooms sne , e as.e rene rs.+s

_r____m -

1 l

System 80+ oesign contmlDocument j control room design meets. A block diagram of the Nuplex 80+ staffing and configuration evaluation is presented in Figure 18.4-3. Operating staff targets for Nuplex 80+ were established to accommodate a variety of staffing assignments during both normal and emergency operation. Candidate control room configurations were developed based on the staffing targets. The candidate configurations were evaluated by feasibility studies using HFE criteria assembled from Reference 8 of this section and References 1, 2,4,5,6 and 7 of Section 18.5. The configuration evaluation included both the configuration inside the controlling workspace (i.e. between the control panels) and within the entire control room (including administrative suppon facilities). Panel arrangements and console profiles were defined based on IIFE criteria and the FTA results. The detailed staffing and configuration analysis method and results are provided in Section 18.6.

18.4.7 Information Presentation and Panel Design Information presentation and panel design activities developed standard Nuplex 80+ information and control methodologies and implemented them in the Nuplex 80+ panel designs. This process is illustrated in Figure 18.4-4. A Nuplex 80+ IISI philosophy was established based on C-E's HSI design experience and industry factors as shown in Figure 18.4-5. The design expenence includes development of advanced operator aids such as the Integrated Process Status Overview (IPSO), the Critical Function Monitoring System (CFMS) and the Success Path Monitoring System (SPMS). This philosophy led to development of standard information presentation and control methodologies which support the operator's information needs and adhere to established HFE criteria. The standard methodologies comprise the Nuplex 80+ information hierarchy shown in Figure 18.4-6. Criteria were established to allocate information requirements from the FTA to the most suitable information presentation method in the hierarchy.

The Nuplex 80+ HS1 system processes most raw data before presentation to the operator (e.g. validated parameters and alarms). This facilitates display of information in the most usable form and reduces the operator's data processing burden. Generic algorithms to provide this processing were developed as part of the analysis. Generic panel design criteria were established to facilitate consistent application of accepted HFE criteria and principles to all of the Nuplex 80+ panels. Detailed documentation of the above methods and results are presented in Section 18.7 and in Reference 6.

I The HFE Standards, Guidelines, and Bases for System 80+ (Reference 6) provides all designers and evaluators with a complete compendium of human engineering information to assure standardized HSI across the project. The bases include source materials from which the guidance was culled, and justifications for design-specific implementations, to support trade off design. This document includes consideration of all HSI, including computer based HSI and readability of alarm text and tiles from all control room positions. This document is a key element of the HFPP.

The Control Panel HSI features use operating conventions that meet the human factors design criteria.

The following standard HSI features are used in the control panel design:

DPS Display Hierarchy DIAS Alarm Tile Displays DIAS Dedicated Parameter Displays DIAS Multiple Parameter Displays CCS Process Controller Displays CCS Switch Configurations These standard features are described in Section 18.7.1.

AMweved Design Ataterse! Human factors Engmeeting Page 18.4-6

- _ _ - . . . . - - . - . - - . - . - . . ~ . - . . - . - .. . - . . . - . . - -

i i

gy,sgi gg + : Deelan Cond mt i 'l An example of the implementation of these methods and criteria has been provided through the submittal 4

of a detailed description of the Nuplex 80+ prototype RCS panel. Nuplex 80+ panel design includes development of the panel surface design based on the FTA information and control requirements and the

[ ;

E panel design HFE criteria. Panel design also includes alarm grouping and logic, parameter validation '

algorithms and indicator parameter groupings. HFE input was provided in each of the design activities, and a comprehensive HFE review cf the entire design was performed. This design process produced a 4 Watalogy for design on all panels. The HFPP (Reference 4) describes the design process in detail.

i i

The results of the RCS panel design process are provided in detail in Section 18.7.3.

l

The remaining Nuplex 80+ panels are designed using the same Mwk, criteria, and standard -

- information display, alarm and control techniques. The description of these panels identifies the use of '

standard indications, alarms and controls on each panel, and details the unique panel features which go '

beyond standard display and control techniques. These descriptions are provided in Section 18.7.4.

~

18.4.8 Control and Monitoring Stations Outside the Main Control Roosa ;

All System 80+ local control stations are designed in accordance with the criteria in the System 80+

l

i. ' Human Factors Engineering Standards, Guidelines and Bases (Reference 6 of Section 18.4). This assures ~

that accepted HSI design principles are incorporated into local control station design. In addition, local - l control stations required to perform the System 80+ Emergency Operations Guidelines (EOG) are l l

designed ving task analysis and human factors verification and validation. l 4 The scope of the Nuplex 80+ ACC design includes the Remote Shutdown Panel (RSP). The RSP design s bases and information and control requirements were established and a panel design was developed based on accepted HFE criteria.

4 The Technical Support Center (TSC) and Emergency Operations Facility (EOF) are described in Section 1 13.3.

18.4.9 Verification and Validation 1

Verification evaluates the design adequacy of the elemental parts of the HSI. Validation evaluates the overall ensemble for collective, dynamic task sufficiency.

I flike Human Factors Engineering (HFE) Venpcation and Validation Plan (Reference 3 of Section 18.4) for Nuplex 80+))3 describes how the HFE verification and validation is managed, admmistered, and performed. Additionally, the verification and validation analysis criteria, methodology, required resources (e.g. Emergency Operations Guidelines, normal and abnormal operating sequences, I&C design requirements, HSI hardware, etc.), schedule for activities, and milestones are provided. Specifically, the

- HFE Verification and Validation Plan meets the design process requirements and criteria for availability

+ verification, suitability verification, and validation of the ensemble as dermed in Sections A-3.6, A-3.7, and A-3.8 of the HFE Program Plan (Reference 4).

'Ihe HFE VAV Plan applies to all Human' System Interface (HSI) and workspace environment in the

- Main Control Room (MCR), Remote Shutdown Panel (RSP) and those control stations specified in the ,

Emergency Operations Guidelines (EOG).

8 NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction Section 3.5.

Annewed Deep annenw . nnnen reeenes snomeensw p,y,1a.s.7

- _ _ . . . _ .a. - - , . ~ ,

System 80+ Design Control Document There are three distinct types of verification and validation activities,1) Availability Verification,2)

Suitability Verification, and 3) Validation.

Availability verification takes part in two phases, Phase 1 (availability analysis) and Phase 2 (availability inspection):

The purpose of Phase 1 (Availability Analysis) is to ensure the following:

1. System I&C Inventory meets the following requirements:

Information & Control Requirements (ICR) as specified in the Functional Task Analysis, e federally mandated indication and control requirements and, e fixed position MCR HSI is provided for credited safety function success path tasks identified in the Probabilistic Risk Assessment (PRA) and EOG.

2. Unresolved HFE TOI database issues are reviewed to identify any additional issues that should be considered during availability analysis.

After assuring the above requirements are met in the System I&C Inventory, a checklist (to be used during Phase 2 Inspection of the as-designed HSI) of System I&C Requirements applicable to the MCR, RSR, and local control stations specified in the EOG is developed.

The purpose of Phase 2 (Availability Inspection) is to compare the as-designed HSI to the availability checklist produced l~. the Phase 1 analysis, this includes:

1. Verifying and documenting that all System I&C Inventory identified on the Availability checklist are available in the HSI design;

2. Identifying candidate HSI indications or controls for removal.

Suitability verification addresses the issue of whether the form and arrangement of HSI indications and controls supports operator task accomplishment. It roughly spans the gap between the questions of "is the needed information, and only the needed information, present?" (Availability verification) and "does the design, in terms of actual operators, using the full control room, the actual procedures, the real plant dynamics, etc. actually work together as a whole?" (Validation). Suitability therefore overlaps somewhat with both these areas of evaluative and inspection effort.

The purpose of validation is to ensure that the sum of the various HSI features afforded by the MCR, RSR, and any local control stations specified in the EOG provided usable HSI ensembles that support the successful accomplishment of the operator's required tasks (i.e. validation performance of the integrated Man-Machine system for System 80+). Validation includes operator interaction with the ensemble and EOG. Specifically, validation meets the following objectives:

1. Validate ability to execute operator tasks required by procedure guidance.

2. Validate the MCR configuration staffing assumptions and confirm the Task Analysis results.

3. Validate time response for credited operator actions based on the safety analysis.

Approved Deslyn Material . Human factors Engmeermg Page 18.4-8

i-system 80+ oester contrat oceument

4. Validate the allocation of functions and operator situational awareness.

5. Validate operator communication and team interaction; l

6. . Validate operation with HSI and I&C equipment failures; 7.. Validate ability of the operator to use the alarm system effectively.

Section 18.9 presents a more detailed description of verification and validation.

References for Section 18.4

1. " Operating Experience Review for System 80+ MMI Design," ABB Combustion Engineering, j

,J Inc., NPX80-IC-RR790-01.

. 2. Advanced Control Room Design Review Guideline: Technical Development Volume 1," U.S.

Nuclear Regulatory Commission, NUREG-5908, (Draft), May 1992.

3. " Human Factors Engineering Verification and Validation Plan for Nuplex 80+," ABB Combustion Engineering Inc., NPX80-IC-VP790-03. l

4. " Human Factors Program Plan for the System 80+ Standard Plant Design," ABB Combustion Engineering, Inc., NPX80-IC-DP790-01. )

5. " Guidelines for Control Room Design Reviews," U.S. Nuclear Regulatory Commission, I

NUREG-0700,1981.

6. " Human Factors Engineering Standards, Guidelines, and Bases for System 80+," ABB Combustion Engineering, Inc., NPX-IC-DR-791-02.

7. " Human Factors Evaluation and Allocation of System 80+ Functions," ABB Combustion Engineering, Inc., NPX80 IC-RR79042.

8. "A Model for Human Decision Making in Complex Systems and Its Use for Design of Control System Strategies," Rasmussen and Lind, Proceedings of the American Control Conference, June, 1982.

9. "ABB/CE Letter to the NRC." LD-92-085, July 31,1993. j i

10. "Nuplex 80+ Advanced Control Complex Design Bases," Nuclear Power Systems Combustion j Engineering, Inc., NPX80-lC-DB-790-01. -

11. "ABB/CE Imer to the NRC," LD-93405, January 18,1993. ;

i D 1 komed Deeinn seenerw - Nunnen Foreers Enghoor6w rege sg,s.g

I Sy~ tem 80 + Design ControlDocument l l

9ll HUMAN FACTORS PROGRAM PLAN HUMAN FACTORS OPERATING EVALUATION AND EXPERIENCE ALLOCATION REVIEW OF SYSTEM B0+

FUNCTIONS l '

STAFFING INF.ORWATION SYSTEM 80+

AND PRESENTATION SPECIFIC CONFIGURATION AND PANEL DESIGN FUNCTIONAL TASK EVALUATION ANALYSIS ANALYSIS U

NUPLEX 80+

MAN-MACHINE INTERFACE DESIGN U

VERIFICATION AND VALIDATION It CESSAR-DC CHAPTER 18 l

I Nuplex 80+ Design Pmeess Hgure 18.4-1 Approved Desigre MeterW e Human Factors Engmeeting Page 18.410 l

2

4 4 a4_-

System 80+ '

Deelan CanoelDocument O

P t -

a F

h 6

This Figure Intentionally Blank t

l f- .

i a

1 4

- NN M II.M2 W Dee> ^*** erd Namee feceus H . Pope 1s.+11

y- _ a - ,-. ac.

System 80+ Design ControlDocument G

EffABLISE BfAFFISO ABB OPERAf!8SS PEILESSPET DETELSP CARDIDATE 005F185aA!!O58 ETAL5 ATE FEASIBILiff 0F B51145 FACTSSS CA5919ATES AND C05FIOGRAfl03 SELECT A TARGET CRl!ERIA CSEFIGUSA!105 O

ESTABLIM BTSTIll/ FUNCTION TA8857 FABEL TAE ARRA34EIEE57 AEALis!S N FLEI 80+

DEFIM ALAbit. DISPLAY i PANEL AND C8tT30L l P18 FILE 8 IEETNSDOLeef ,

1 BEFIM NIPLEI 80+ CONTROL stem C8JT30L 3905 ESTIB0511537AL CONFISORATISS CRITSRIA Stamng and Configuration Ev Justion Hgure 18.4 3 A;yarewed Desigrr Material . thanan Fsntors Engneering Page 18.4-12

System 80+ Design controlDocument v

ISTABList WWFLEE 80+

W -MACIINE INT RFACE PEILOSOFIT l

DEVELOP NWPLEI 80+ l AIARN. DISPLAY AND CONTROL NETERDOLOOT 1 l

1 1P 1' ALLOCATE INFORMATION AND ESTABLISE PANEL INFORMATIOI CONTROL DESIGE CRITERIA Rett!RElitsts TO 4- RE851REllENTS ALARM, DISPLAT AND FROM FTA 4 CONTROL ME150D5 I

DESIGE IBFSBNATION PROCESSIEC ALGORITIDIS

+

C0tFisvtATION DESIGN PANEL -+ ftPLEI 80+

ARRANGENEIT PANELS Information Presentation and Panel Design Analysis Figure 18.4-4

System 80+ Design ControlDocument O

MPLEX B0 DESION C-E Ato Dt.EE POWER CO. EPRI ALWR OPERAT1NG GOALS EXPERIENCE AVAILABLE MU B0+

MAN-MACHINE CFMS & SPMS N OSY i E (U.S. & FORElGN)

REGULATORY IPSO l CRITERIA EXPERIENCE l

4 o

NUPLEX B0+

GOALS i

Nuplex 80+ Man Machine Interface Philosophy Figure 18.4-5 Approsed Des > Meteriet- Numerr Factors Engmeernsg Page 1g.414

system so+ o=*"c=""00="~'

O INTEGRATED PROCESS STATUS OVERVIEW !

)

(1) (2) :

DISCRETE ALARMS (2) .

DISCRETE INDICATORS (2)

O CRT DISPLAYS

- PROCESS CONTROLLER II) - COMPONENT CONTROLS

-l&C OPERATOR MODULES (3)

(1) PLANT COMPUTER DRIVEN (DPS) .

( 2) DRIVEN BY MULTIPLE PROCESSORS (DIAS)

( 3) DRIVEN BY INDIVIDUAL PLANT SYSTEMS i

l Nuplex 80+ Infonnation Display Hierarchy Figure 18.4-6 !

l wm o.w, u,ww. mma reems sm reo, ts.+1s

System 80+ Daegsn cenaar coeument i

i s i

'18.5 Functianal Task Analysis !

Functie ial Task Analysis (FTA) is performed for the System 80+ plant as a formal part of the Nuplex i t

80+ ACC design process and Human Factors Program Pian (HFPP). FTA is a means to ensure that 4

rwa-y operator tasks can be successfully performed. The FTA approach functionally decomposes the j physical plant and its operations so that procedural tasks and decision processing can be analyzed' ;

!%* of particular hardware implementations. The completed FTA provides the following analytic {

results for the design: ;

a e Procedure Guideline-based Information and Controls Requirements (PGICRs) for the control room human-system interface; ;

i

. o Operator task loading evaluations identify high workload situations for subsequent resolution; e- . Data on information and control usage by operators that supports the arrangement of physical {

co-yonents on the control panels.

I The FTA methodology is based on the approach of References 1 and 2; details are provided in Section j- 18.5.1. l l

18.5.1 Method 4

The System 80+ FTA is based on the methodology used for the Combustion Engineering Owners Group !

(CEOG) Generic Operator Information and Control Requirements Review (References 1 and 2). This j approach, developed and utilized to support the formal review of existing control rooms, has been ;

modified to support a design process for the Nuplex 80+ ACC, particularly by incorporation of workload j measures and criteria. The FTA methodology is presented in six major steps: i e Establish assumptions and bases ;

e Review input and design documentation e Establish task decomposition and data framework e Establish loading criteria !

i

e Perform analyses l l

-e Dacumaat results and conclusions l Details on each of these steps are provided in the remainder of Section 18.5.1.

'18.5.1.1 Assumptions and Bases i

The assumptions on which the FTA is based are specified as follows: _l e Evolutionary Design The System 80+-design activities are being conducted to produce the next generation of 'l Combustion Engineering's nuclear power plant. It is an evolutionary eaum-at of a proven ;

4emed seeon nanenow namen reeenre s*****e Pene ss.s-1 ;

l

=- .. - -- . .. ..- -. - - _ - - . . . -- .

System 80+ Design ControlDocument design - System 80. The functions and features of the Combustion Engineering System 80+

design are incremental revisions to this proven design, incorporating technological improvements and operating experience through a systematic design process.

Operator's Role As a corollary of Assumption A, Nuplex 80+ is an advanced I&C implementation of existing MMI functions. Changes to the operators' role, and the tasks required to perform that role in support of operations, are minimmt. Where changes have occurred, they aim to 1) resolve known problems,2) retain successful aspects of existing control rooms, and 3) avoid new problems.

e PGICRs Procedure Guideline-based Information and Control Requirements resulting from the FTA will be afforded by the systems-based instrument and controls inventory and will be verified to be available in the control room, per IIFPP requirements.

Event Sequences Event sequences are representative examples of normal, abnormal, and emergency operating scenarios. Event sequences are generic cases based on the combined operator requirements of expected plant responses and proceduralized operating strategies (i.e., excluding complex ,

interactions, error propagation, and sabotage.) The analysis of generic cases provides adequate data for the FTA's evaluation of operator workload and behavioral requirements. Selected event sequences are specified in Section 18.5.1.5.1; these sequences will be incorporated in validation activities per IIFPP requirements.

Level of Detail Event sequences are detailed by evaluating the necessary operator tasks per the applicable procedure guidelines (e.g., Reference 5) along a time line. Event sequences identify decision points and basic decisions, but do not pursue variations of these basic decisions into multiple contingencies.

Simple Additivity The ITA will consider task elements to be additive and serially processed, unless otherwise noted. No general consideration is given to complex interactions of steps or personnel in the FTA. Formal evaluation of interactions will occur as part of human factors Validation activities.

Physical and Mental Workload Regarding workload, the main concern in the FTA is with mental tasks in control center activities. fl1he associatedphysical tasks are within the capabilities of the 5th percentilefemale operator.))t Exceptions to this assumption, such as might occur for a locally performed task, are documented in the data.

8 NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction O

Section 3.5.

Approved Design Material Human factors Enskreerme Page 18.5-2

System 80+ Design ConkelDocument t

( o . Workload and Human Error

< The FTA evaluates operator workload as a comparison of the time available for a task, and the ;

time required to perform it. Loadings which violate the acceptability criteria (see Section 18.5.1.4) are considered error-likely situations to be donnnamad and resolved.

c' Staffing The FTA considers staffing to be a form of workload capacity. Consistent with the concern for '

excessive workload, staffing is conservatively assumed to be at the design basis minimum level-

]

specified for each event sequence. However, staffing level will not impact the analysis unless a der.liled evaluation (per Criterion B of 18.5.1.4) is made.

' S e Environmental Hazards i

illhe workspace environments in the Main Control Room and/or Remote Shutdown Room remain habitablefor all design basis events and scenarios.))' However, lllocal control stations included in the FTA shall be individually enluated specuped operating sequences and tasks.forpersonnel hazards as + 18.5.1.2 . Input and Design Documentation Review System 80+ includes design dreTras and improvements to address experience gained from earlier plant designs, criteria provided by the Advanced Light Water Reactor (ALWR) Requirement Document, ,; and guidance from the NRC's Severe Accident Policy and Standardization Rule. Documentation for the System 80+ design has been reviewed to identify the plant processes, configurations, and modes of

operation.

I. In particular, CESSAR-DC, supported by system descriptions, technical specifications, and training materials for System 80, provides the baseline for describing the operating role of the revised systems , l in System 80+ and extrapolating their operations for revised procedure guidelines and the FTA. A list , of these basic purposes of the plant systems and configurations is maintained as part of the System 80+ l FTA data base. 18.5.1.3 Task Decomposition and Data Framework ; llihe following hierarchical structure was used as theframework to decompose event sequinces into congponents:

1) Grossfunctions/ subfunction A) Task-l

1) Element}}'

Each of these levels is detailed as follows,

         '         NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction Section 3.5.

4med Deakn AseawM = thanen feeews Enghee&q pope gg,g.3

s Systera 80+ Design ControlDocument 18.5.1.3.1 Gross Function / Subfunction Level Gross functions are high level statements of the operator's general purpose in performing a related set of tasks. They specify a basic operating goal (e.g., " Maintain RCS Heat Removal") from the operator's or more tasks with a single perspective. Each gross function (or subfunction) statement represents . main purpose, and may be comprised in different situations by different sets of tasks. Functions appear within sequences in a generic order of performance, per vendor operating procedure guide:ines. Subfunctions are identified if a gross function has multiple purposes; otherwise, the two levels of description are similar. 18.5.1.3.2 Task Level This level analyzes operator behaviors in terms of a generic, closed-loop information processing model. It utilizes a simple but comprehensive data framework that can accommodate a large variety of specific tasks. ((The model views a task asfalling into one offour basic categories:]J'

 *         (( Input))8 (Perception) - Collect or obtain needed information.
 *         (( Process))' (Cognition) - Evaluate, plan, calculate, decide (etc.) on a result or course of action based on collected or otherwise known information.
  *        (( Output))' (Action) - Perform the act or manipulation specified.
  *         (( Feedback))l - Monitor the results of output actions and transmit the results back to the input; this either verifies success or cues further processing and corrective action.

Tasks in a sequence tend to cycle through these categories, althcagh well-designed and skillfully performed tasks do not necessarily show four distinct components. The benefit of this framework is that it directs the analyst's attention to the necessary components of deliberate, mle-based (i.e., procedural) behavior (Reference 6). A single task is expressed by a task statement. A task statement includes two basic parts, which are 1) a verb from the defined verb taxonomy (listed in the FTA data base), and 2) the object of the verb, (a parameter, component, etc.) For example: I Coi!ett Presstwizer Pressure Mrb) (object) These task mtem-nts then serve as the centerpiece around which the remaining task element data are i organized and documented. l 18.5.1.3.3 Element Level ((7hc element level))l of this analysis specifies critical details that may be associated with each task statement. These data complete the FTA picture of task behavioral requirements; i.e., of how the task , must be performed. The additional (( data include))3: 3 NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction Ol! Section 3.5. l Appemd Ossign Atatene! Hurnan Factors Enphearkg Page 18.54 l 1

System 80+ Deefon Coneaf Doewnent

 'e'       (( Cues))t ; Cues are conditions, prompts, alerts, or similar items directmg that the task statement should be executed. (A typical default cue for a task statement is its position within a procedure -

sequence.) e ((Criterds)}l -_ Criteria are qualitative o' quantitative values or limits which are necessary references for correct evaluation or execution of the task statement. e l ((nme Allowedj]l - The time allowed is the period of time required, as assumed by the analysis, for the execution of the multiple elements comprising the task statement. The initial screening value of time allowed to perform each task statement is one mmute (see Section 18.5.1.4). e ((Locenion))1 - Location is the place or position at which a given task is expected to be performed. Location data provide a basis to perform link analysis. e [ptamarts))3 - Remarks == - *e extra notations or miscellaneous task requirements from data categories with infrequent significance. In *he present task analysis, these issues could include, for example, specific workplace suitability issues, task support requirements, communications requirements, crew interaction, or hazard identification. Elements are the lowest level of the FTA decomposition. An example of a task element data form is shown in Table 18.5.1-1. Additional analyses of the data performed as part of the FTA (i.e., information and controls requirements, and time profile / workload evaluations) are described in Sections 18.5.1.5.3 and 18.5.1.5.4. 1S.5.1.4 (( Landing Criteria Workload is entuated on the basis of conparisons between estimates of time availablefor, and time required by, the elements of a task. Dme criteria are asfollows:

1. ~ A consermtive criterion}}' based on ANSilANS $8.8 (Reference 8) ((provides a minimum of one minutefor each required manual manipulation (i.e., task element). Dsis is an initialscreening criterion to identtfypotentially acessive loadings.

2. If task requirements aceed the limits of screening criterion 1, more detailed evaluation of the human performance requirements is performed, based on a cognitive processing model}}'

presented in Reference 7. ((Dnese enluations will utilize aplicitly stated consermtive assumptions, model pa . meters, and criteria for human and equipment response time performance. Example calculations will beprovided. Failure to meet both criteria 1 and 2 above indicates the needforfurther design assessment andformal resolution.))l Such findings are entered into the Taxking Open Items (TOI) database, per 'the requirements of the HFPP. O 3 NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction Section 3.5. Asume==e Dese assemw. manen reenne snomose, es ,e vs.s-s

System 80+ Design ControlDocument 18.5.1.5 Analyses 18.5.1.5.1 ((Seope Thefollowing event sequences comprise a representative cross section of operationsfor the Nuplex 80+ control room FTA}} , including all Emergency Operations Guidelines (Reference 5): ((e Startup with Steady State and Transient Power Operations e Shutdown with Shutdown Decay Heat Removal e Design Basis Shutdownfrom the Remote Shutdown Area e Mid-loop (including Loss of SCS) and Refueling Operations e Reactor Trip and Recovery e Loss-of-Coolant-Accident e Steam Generator Tube Rupture e E:: cess Steam Demand e Loss of Feedwater e loss of Ofsite Power (LOOP) e Station Blackout (LOOP without DGs) e Anticipated Transient Without Scram e Design Basis Failures ofDPS and DIAS e Selected Abnormal Operating Procedures e Selected Tech Spec Surveillances}}' 18.5.1.5.2 [lPRA and Critical Tasks}}' In addition to the representative event sequences in Section 18.5.1.5.1 the System 80+ PRA and associated lluman Reliability Analyses (HRA) are used to identify ((* Critical Tasks."}}' These ((are operator tasks indicated by PRA to make sigmpcant contribution to total plant risk.}}' The cutoff criterion for Critical Tasks is that they fall within the top 100 events of the Level 1 PRA in order of risk achievement value. This criterion spans almost six orders of magnitude of risk reduction, and divides events analyzed to significantly reduce risk from the residual events (i.e., those with risk achievement approaching an asymptote at 100 ). [(Critical Tasks are incorporated as seporate event sequences in the 3 NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction O' Section 3.5. Appresed Design Material . Human factors Engmeenng Page 18.5-6

Systern 80+ Design controlDocument g () Task Analysis database.))' Findings from the associated HRA and FTA are dispositioned through the form:u ce.imentation and tracking mechanisms of the Human Factors Program Plan (Reference 10). 18.5.1.5.3 ((Information and Control Requirements}}' The evaluation of PGICRs summarizes the procedure-based parametric requirements for display and control variables identified by the FTA. Summaries are sorted from the FTA database for each variable. For example, characteristics for ' pressurizer pressure' are summarized for each distinct gross function where pressurizer pressure is utilized. (( Characteristics include thefollowing areas ]}'

      *        (( Device type))!

A recommendation for display / control type for sh variable is provided based on the FTA ' results, operating experience, human performance characteristics, and human factors guidance.

      *        (( Range]}'

The required upper and lower value limits for the variable as required for operations is provided based on transient performance figures. e l[ Accuracy}}' \ The instrument accuracy required for each variable is provided based on operations requirements. . p U * (( Units]}' , The recommended unit of measure for each variable is provided based on operational experience, ; industry performance, and engineering judgement. ) 1

llPrecision}}' \

The display precision of each measured variable is provided based on operator task requirements. 18.5.1.5.4 ffTime Prople/ Workload Evaluation The event sequences identified}}' in Section 18.5.1.5.1 ((are analy:cd and reviewed by experts in plant operations. Event time profiles are then plotted on time lines and sectioned into discrete evaluation intenals (to minimize unnecessary calculation, fewer activities may be summed within longer intervals.) Process time estimates are derived by escluating datafrom specific event profiles, based on operator experience andprocess transient response models. The time profile evaluation considers: l l e The time into the event sequence at which the operator is expected to be cued to perform the tasks in an intenn!

The time asnilable to perform the tasks in the interval (i.e., plant process constraints}}}'

g

       '       NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction Section 3.5.

4 proved Design Meterial . Nurnen Factors Engeveerkeg Pege 18.5-7

l System 80+ Deskn ControlDocument l l

Die time required to perform the tasks in the intenal (i.e., human performance constraints) e Whether time required exceeds time availablefor speciped task intenals Criteriafor time required to perform tasks are speciped}}' in Section 18.5.1.4.

18.5.1.5.5 Link Analysis Link analysis evaluates the distribution and interactions of the operators' panel transitions in a given scenario, ilLink analysis is performedfor design basis normal operations andplant shutdown during a loss of the DPS.}]' This is considered to be a limiting case in terms of its impact on the necessary movement of operators within the controlling workspace. Link data shall be precise to the nearest half-panel. 18.5.1.5.6 llidentification of Overload Situations and Recommendations ' If time required exceeds time available per Criterion A}}' of Section 18.5.1.4, lithen task loading is a concern. In such cases, the task sequence is reemluated incorporating more repned timing assumptions per Criterion B. If this detailed evaluation continues to show that more time is required than is available for operator action, the issue is identified in the results, and must receive formal assessment and resolution))3 per the design process and HFPP. 18.5.1.6 Results Documentation The FTA data are stored on a personal computer database system to allow manipulation and updating of information. As additions are made to the database, existing portions of the analysis will be updated to reflect any changes to the FTA methodology. This will ensure internal consistency of the final FTA results, and of those results with the System 80+ design. 18.5.2 Results The following sections provide an example of typical FTA results for System 80+. This represents a preliminary application of the methodology. The example incorporates specific RCS panel design details, and evaluates an event sequence (reactor trip) of significant interest from a workload perspective. Other panel details required by this sequence have been incorporated in the database model as interim design assumptions. When completed, the FTA database will incorporate all event sequences of specified in Section 18.5.1.5.1, and equivalent panel design details for all systems required in those sequences. 18.5.2.1 System 80+ System Functions As described in Section 18.5.1.2, a System 80+ documentation review generated a list of basic functions and system purposes for System 80+. These were compiled as part of the task analysis database for the systems listed in Table 18.5.2-1. An example of a system functions description is provided in Table 18.5.2-2 for the RCS. Additionally, a significant amount of information was consolidated for major System 80+ components. This is illustrated by Table 18.5.2-3 for some RCS components. O 3 NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction Section 3.5. AS4womiDesign hinterial Human Factors Engirmermg Page 18.5-8

_. _ _ __. .~ System 80+ oesion cetrolDocument i

/%

Gross Functions by Event 18.5.2.2 For the events in Section 18.5.1.5.1, event scouences are partitioned by gross function and subfunction. These are stored in the FTA database. Table 18.5.2-4 provides an example of this high-level functional analysis structure for a reactor trip event. Other events may have significantly more gross functions and subfunctions; for example, the Loss-of-Coolant-Accident (LOCA) event has a total of 56 gross functions with over 100 subfunctions. 18.5.2.3 Task List by Event Sequence t

    'Ihe next level breakdown results in individual operator tasks being identified for each function in an event sequence. This includes a reference to the system functions identified in Section 18.5.2.1. Table           !

18.5.2 5 lists the task statements for the reactor trip event. i 18.5.2.4 Task Elements by Gross Function and Task The next level of decomposition identifies elements within tasks. This specifies information to be observed or manipulated in order to perform the required actions. At this level of detail, required parameter variables are identified. Table 18.5.2-6 illustrates the task element information developed for the reactor trip event. This listing also displays task statements by system and system function. Table 18.5.2-7 characterize the use of these information elements as a direct precursor to specifying the related information and controls requirements. . O 18.5.2.5 Parameter Usage V The task analysis data base was sorted to identify all uses of a given parameter in the event sequences considered. This allows the information characteristics required for a variety of observations to be grouped by major gross function prompts in order to consolidate the information requirements. Table 18.5.2-8 lists the parameters analyzed far the RCS, As an example of the results of this effort, Table 18.5.2-9 is a partial listing of parameter uses for pressurizer pressure. The remaining uses for pressurizer pressure and the uses for other parameters are stored in the task analysis data base. 18.5.2.6 Infonnation and Control Requirements The final FTA activity related to determining PGICRs was to consolidate the characteristics required for the major prompts for each parameter. These characteristics are then used in the panel design activities discussed in Section 18.7. As an example, Table 18.5.2-10 identifies the major operator prompts for pressurizer pressure. Table 18.5.2-11 gives the characteristics required for these prompts and a rationale for each. Similar sets of information were developed for the remaining task analysis parameters and stored in the task analysis data base. 18.5.2.7 Event Sequence Time Profile A time profile for the reactor trip event is provided as an example in Table 18.5.2-12. This example was selected based on its relatively high workload peaks and low design basis worklead resources (i.e., single operator in the control room). Time assessment data for the sequence's task elements were generated. The resulting time profile identifies the time into the event that each parameter must be observed, the time ,O allotment for related decisions to be made, and the estimated processing time based on the model in Table O 18.5.1-3. Anwevent Deekn nenential . Nwnen facters E. , N Pepe 18.5-9

System 80+ Design ControlDocument i i 18.5.2.8 Evaluation of Reactor Trip Example The Reactor Trip evaluation indicated excessive loading during minute 0 to minute 2 of the event. This is consistent with the general notion that there is an intense rush of activity occurring with any sudden transition of plant operating status. According to the detailed cognitive model, during this interval the operator has sufficient time only to physically orient himself to a discrete continuous display (1 second) or step through 1 menu selection without a physical move to another panel (0.9 seconds). Parameter access through 2 menu levels requires at least 1.9 seconds plus 1 second if movement is required between panels, exceeding the average time available. Thus, while the overall Nuplex 80+ information scheme was sufficient, opponunities for design improvement were identified. To accommodate the need to perform multiple, predetermined status checks in a shon period of time, the recommendation was made to collect these parameters in a single, readily accec.sible display location, and format them for rapid verification. These findings are entered in the TOI database. In addition, the display hierarchy was revised to significantly reduce the frequency of interactions required for display access. No cognitive overload situations were identified during remaining ponions of this event sequence according to the criteria of this analysis. The operator can perceive, make decisions, and access all necessary information within the time required. 18.5.2.9 Independent Data Review Independent operational review of the FTA showed a high degree of concurrence with the generated data. Reviewers identified discrepancies in only 1 to 2 percent of the data. These discrepancies were resolved and appropriate changes incorporated. 18.5.3 Comparison with Experience-Based Instrumentation Requirements Experience-based instrumentation and controls information was utilized as pan of the panel design process. These data were obtained independently of the functional task analysis and utilized in conjunction with the analytical results. This process is described in Section 18.7.3.2. A list of experience-based instrumentation information was developed to augment the information requirements identified in the functional task analysis. The analytical approach provides information requirements for both normal and accident event sequences. For accident sequences, little or no actual experience-based information is available other than from simulation codes. However, for normal sequences (e.g., stanup, load transients) a significant source of data is provided by reviewing the instrumentation used in existing plants. Operators use this instrumentation regularly and control room design reviews have been performed to assure that it is properly human factor engineered. All information requirements relating to surveillance testing and maintenance activities were generated frotn experience-based data. The information requirements obtained from both methods, functional task analysis and experience, were cross checked to optimize the quality of the information requirements generated for Nuplex 80+. As an example of the results of this effort, a comprehensive list of RCS information requirements is provided in Section 18.7.3.2.1. These were generated during the panel layout process described in detail in Section 18.7.3. Similarly, the controls required for the Nuplex 80+ control room are also generated by a combination of functional task analysis and experience-based data. Processes and components needing control are identified by System 80+ mechanical systems designers. The primary process and component controls Asyveved Design afsteriel . H,unen factors Engkseerk,g Page 18.5-10

I System 80+ Deaien ConsrolDocument : I i identified were essentially the same a for previous plants with a few exceptions for system design !

         . changes. Thus, the analysis of control requirements was taken from previous functional task analysis                      i efforts based on References 1 and 2. The control requirements were then verified to be correct for System 80+ and revised where system changes dictated it.                                                                  l The experience-based data with respect to controls was initially used to form the basis for the man-                      l nachine ahocation and degree of automation in the Nuplex 80+ ACC. It also provided input to selection
                                                                                                                                     +

control types and establishing control system designs. As with the functional task analysis data, the experience-based control data is modified to acco.. .i -dete j i specific System 80 + process and component designs. The generic Nuplex 80+ implementation methods for controls requirements are described in Section 18.7.1. Specific examples penaining to the RCS are provided in Section 18.7.3 and 18.7.3.2.2, respectively. The functional task analysis allocation l evaluation then confirms the acceptability of the Nuplex 80+ design. ; 18.5.4 LfMCR Annunciator, Display, and ControlInventory J I

         . Based on the FI'Adata and results, a subset of the identsped annunciators, displays, and controls is specuped as the MCR Minimum inventory required to execute the EOGs and perform the PRA Critical                           ,

l Tasks}}' (Section 18.5.1.5.2). llWithin this scope, thefollowing criteria are used to identify Minimum Inventory entries: ! Annunciators and Displays e Critical Safety Function status indicator e Preferred / credited Success Path performance indicator l e Indication required to versfy Safe Shutdown i e Reg. Guide 1.97 Category 1 variable l Controls e Preferred / credited Success Path component (i.e., in majorfloupath) e Component required to perform Safe Shutdown i The MCR Minimum inventory isprovided asfixedposition HSIper the CertspedDesign. The term " fixed position' refers to the unique location on IPSO and the MCR panels for annunciators, displays, and ' controls defined for the parameters in the MCR Minimum ."ventory. Standard Features}}' (Section

          ^ 18.7.1) (lwhich can be used to providefixedposition annunciator, display, or controlfunctions include                    .

DIAS Dedicated Parameter Displays, DIAS Alarm Tile Displays, CCS Switch Configurations, and CCS : Process Controller Displays. O G 8 NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction Section 3.5. W Den 6" aConwM - Nmnen Focaus Enghne@g rege Ig,511

Systern 80+ Design Control Document The MCR Minimum inventory (Table 18.5.4-1) is incorporated in the overall Availability venpcation}}' (Section 18.9.1) ((along with the indication and control requirementsfromfederal regulations, system design specifications, FTA results, and the HFE tracking system. Availability venpcation assures consistency between these requirements and the completed system I&C inventories, as well as between the . system I&C inventories and the as-built HSl}}'. References for Section 18.5

1. " Generic Operator Information and Controls Requirements Review Based on Combustion Engineering Emergency Procedure Guidelines," Combustion Engineering, Inc., CE-NPSD-299, July 1985.

2. "C-E Owners Group Generic Information and Control Characteristics Review," Combustion Engineering, Inc., CEN-307, August 1985.

3. " Task Analysis of Nuclear Power Plant Control Room Crews," USNRC, NUREG/CR-3371, 1983.

4. " Human Factors Guide for Nuclear Power Plant Control Room Development," EPRI, NP-3659, August 1984.

5. " System 80+ Emergency Operations Guidelines," LD-94-043, June 1994.

        "Information Processing and Human Interaction," J. Rasmussen, North-Holland: NY 1986.

6.

7. "The Psychology of Human-Computer Interaction," S. Card, T. Moran, A. Newell, Lawrence O

Erlbaum: NH,1983.

8. " Time Response Design Criteria for Safety-related Operator Action," American National Standards Institute, ANSI /ANS-58.8.

9. " System 80+ Function & Task Analysis Report," Combustion Engineering, Inc., NPX80-IC-DP790-02.

10. " Human Factors Program Plan for the System 80+ Standard Plant Design,* NPX80-IC-DP790-01.

11. "MCR Minimum Inventory of Fixed Position Annunciators, Displays, and Controls," NPX80-IC-RR790-3-0.

3 NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction Section 3.5. Approved Oesign Materiel Human Factors Engmenring Pope 18.S-12

System 80+ Deskn ControlDocument s/ Table 18.5.1-1 Task Element Data Form i Sequence: Date: Gross Function: Page: Subfunction: Task / Time Element # Cue Verb Object Criteria Required Location Remarks > N 1 l / w w w u.n w. w rcom e ,_ ::., ren vs.s-ra s

System 80+ Design ControlDocument Table 18.5.2-1 System 80+ System Function Descriptions h The following systems and acronyms are used in the examples of task analysis data provided in the Section 18.5 tables. ACC Advanced Control Complex AIR Compressed Air and Gas Systems ATWS Anticipated Transient Without Scram AUXSTM Auxiliary Steam System BLDG Building BRS Boron Recycling CCW Component Cooling Water CRDS Control Rod Drive System CGC Combustible Gas Control CLRT Containment Leakage Rate Testing CNTMT Containment COND Condensate Storage System CSS Contamment Spray System CVCS Chemical and Volume Control System EFW Emergency Feedwater System FCS Feedwater and Condensate System FDRAIN Equipment and Floor Drainage System FilS Fuel llandling System FUEL Core and Fuel 1IVAC Heating, Ventilation and Air Conditioning IRWST In-Containment Refueling Water Storage Tank IWSS In-Containment Water Storage System LTOP low Temperature Over Pressurization MSS Main / Extraction Steam System MUPS Makeup and Purification System PLCS Pressurizer Level Control System PORY Pressure Operated Relief Valve PPCS Pressurizer Pressure Control System PSS Process Sampling System Appneved Desser MeterW . Human Factors Engmeerktg Page 18.5-14

System 80+ oeskn controloccument n V Table 18.5.2-1 System 50+ System Function Descriptions (Cont'd.) PZR Pressurier RCP Reactor Coolant Pump RCS Reactor Coolant System RVI Reactor Pressure Vessel & Intemals RX Reactor System SCAS Secondary Chemical Addition System .- SCS Shutdown Cooling System SDS Safety Depressurization System SFW Startup Feedwater System SG Steam Generating System SI Safety Injection System l 1 SIT Safety Injection Tank ! l j TG Turbine Generator

 '  Table 18.5.2-2             RCS System Purposes and Basic Functions 4    1.      Transport hot primary co+nt from the reactor vessel to the steam generator and transport cooled primary coolant from the s. am generator to the reactor vessel.

2. During normal operation and upset conditions, maintain a high integrity boundary for the primary coolant which prever.ts leaks to the containment atmosphere.

3. During normal operation and upset conditions, maintain pressure in the primary coolant system ;

within specified limits for all anticipated reactor coolant transients, without dependence on pressure relief devices. Maintenance of system pressure is accomplished in the pressurizer.

4. Provide forced circulation for primary coolant.

5. Support natural circulation sufficient to remove decay heat from the reactor.

6. Provide overpressure protection.

7. In conjunction with the reactor system, assure that there is only one steam / water interface during normal operations, and that this steam / water interface is located in the pressurizer.

8. Following severe accidents, provide for high point venting of hydrogen and other nonandensible gases.

O v i Annemed Dentro ateterial- Human Fectors Engmeenne Page 18.5-15

System 80+ Design ControlDocument Table 18.5.2-3 General System 80+ Component Data Component Design & Operating Data Component System 80+ System 80 Reactor Vessel Total core heat output (MW ) 3,914 3,800 Design pressure (psia) 2,500 2,500 Primary system pressure (psia) 2,250 2,250 RCS inlet temperature (*F) 556 565 RCS outlet temperature ('F) 615 621 Design minimum RCS flow rate (gpm) 444,650 415,600 Steam Generator Number of units 2 2 Primary Side Design pressure (psia) 2,500 2,500 Design temperature (*F) 650 650 Operating pressure (psia) 2,250 2,250 Secondary Side i l Design pressure (psia) 1,200 1,270 Design temperature (*F) 570 575 Full lead Steam Pressure (psia) 1,000 1,070 Full load Steam Temperature (*F) 545 553 l Zero Load Steam Pressure (psia) 1,100 1,170 1 Total Steam Flow per gen. (Ib/h) 8.82x106 8.59x106 ; 1 Fullload steam quality (%) 99.75 99.75 Pressurizer I 3 Internal free volume (ft ) 2,400 1,800 . l Design pressure (psia) 2,500 2,500 Design temperature (*F) 700 700 1 Operating pressure (psia) 2,250 2,250 Operating temperature (*F) 653 653 I Pressurizer Vessel height (ft) Component 54 42 Approwd Design Metenin! Numan factors Engheerbsg Pope 18.5-16

l l j System 80+ l .O U Table 18.5.2-4 Gmes Functions / Subfunctions functions" have been checked. to ensure CEAs are bottomed. 1.02 Ensure plant electrical diesel generators. 1.03 Control RCS inventory. Control RCS pressure. 1.04 features are controlling RCS pressure. 1.05 Control core heat removal. 1.06 Control RCS heat removal. O 1.07 Maintain containment integrity. V 1.08 Control contamment atmosphere. 1.09 Control containment 2.00 Diagnosis of event. 3.00 Ensure SPTA performed. 4.00 Confirm diagnosis of event. 5.00 Control RCS inventory. 6.00 Control RCS pressure. 7.00 Control RCS heat removal. 8.00 Maintain SG inventory. t b 8.01 Control Main Feedwater to SGs. _ i Design _C, ontrolDocument l Reactor Trip Gross Functions and Subfunctions i Brief Description of Operations 1.00 Standard Post Trip Actions. Specific set of operator responses to ensure all " safety j 4 Established a consistent baseline for emergencies. i 1.01 Ensure Reactor Shutdown. Check for indications for reactor shutdown and follow up ; power available. Trip turbine generator and align plant electrical power to a source of power. Either off-site through Xformers or ' Check level to ensure automatic control capabilities are controlling pressurizer level. Check pressure to ensure automatic pressure control ; - Check for operation of RCPs. Check SG parameters for steaming and feeding to exist or the capability to steam and feed a SG. Check contamment atmosphere for signs that additional , contamment integrity measures may need to be taken. Check contamment atmosphere for signs that additional containment cooling measures may need to be taken. combustible gases. Check for the presence of combustible gases in containment. Evaluate information collected during SPTA to determine event. Confirm Standard Post Trip Actions have been performed. Evaluate information collected to confirm SPTA and determine event. Control pressurizer level within indicating range. Control pressurizer pressure to normal control bands so that NPSH for RCP operation is adequate, subcooling exists, etc. with heaters and spray control. - Control steaming of SG to limit heatup or cooldown of plant after the reactor trip. Control feedwater to SG to maintain adequate inventory n for steaming SG for heat removal. Maintain SG level in normal band to maximize heat removal by controlling umin feedwater flow to SGs. i L- . 2 DeQ asetenial Numan Focaws _'; - :., Pope 18.5-17 ,

System 80+ Design ControlDocument Table 18.5.2-4 Reactor Trip Gross Functions and Subfunctions (Cont'd.) Gross Functions / Subfunctions Brief Description of Operations 8.02 Control emergency feedwater to SGs. Maintain SG level in normal band to maximize heat rem.sval by controlling Emergency Feedwater flow to SGs. 9.00 Evaluate need for a cooldown. Evaluate plant conditions to determine if a cooldown is needed to place the plant in a safe condition for repair and recovery. 9.01 Ensure condensate reserves adequate. To confina to provide a source for the secondary heat sink condensate inventories need to be monitored and replenished as necessary. 9.02 Control RCS pressure. To continue to operate in hot standby the ability to maintain pressure must be considered to determine whether to cooldown or not. 10.00 Maintain RCS parameters. Check RCS parameters to maintain RCS fluid in state for heat removal, (control pressure, inventory, RCP operation). , 10.01 Control RCS inventory. Maintain adequate inventory of RCS fluid to maintain a state of heat removal. 10.02 Control RCS pressure. Control pressure to normal control bands so that NPSH for RCP operation is adequate, subcooling exists, etc. with heaters and spray control. 10.03 Monitor RCS parameters for Forced Monitor RCS parameters to continue RCP operation. Cire. O AStwesed Design Motorial Human factors Engeneering Pope 18.518

System 80+ oeslan Control Document G b Table 18.5.2-5 Reactor Trip Task Listing Task Derived from System Function Gross Function / Subfunctions Task Statement (System & Function #) 1.00 Standard Post Trip Actions. Refer to #1.01 to 1.09. 1.01 Ensure Reactor Shutdown. Collect N1 information. RX 1 Collect CEA position information. CEA 4 Evaluate information. RX 4 1.02 Ensure plant electrical power Collect TG output information. EEC available. Collect bus feeder information. ELEC Evaluate information. ELEC Collect diesel generator output ELEC information. Evaluate need for diesel. ELEC Start diesel. ELEC 1.03 Control RCS inventory. CoIIcct Pzr parameter information. PZR 1, 2, 4 Collect CVCS flow to and from RCS. CVCS 1,11 Evaluate demands for CVCS flows. CVCS 1,11 1.04 Control RCS pressure. Collect RCS pressure information. RCS 3 Evaluate against control limits. PZR 5, 6 e 1.05 Control core heat removal. Collect RCP information. RCS1 Decide if RCPs are operating. RCS1 1.06 Control RCS beat removal. Collect SG parameter information. SG 3, 5, 6 Collect MSS flow information. MSS 4, 5, 6 Collect FCS flow information. FCS 1 Decide SG availability for beat RCS1 removal. 1.07 Maintain containment Collect containment parameter CNTMT1 integrity. information. Decide ifisolation is required. CNTMT1 1.08 Control containment Collect containment parameter CNTMT1 atmosphere. information. Decide if additional cooling is needed. CSS 1 1.09 Control containment Collect Contamment H2 parameter CGC 3 combustible gases. information. Decide if H2 exists. CGC 3 2.00 Diagnosis of event. Review co!!ected info #1.01 to 1.09. Decide event.

   /
     = = :o + u.ww. m r.cm,se, a ,                                                                  , ,. ss.s.,a

System 80+ oessy s controlDocument Table 18.5.2-5 Reactor Trip Task Listing (Cont'd.) Task Derived from System Function Gross Function / Subfunctions Task Statement (System & Function #) 3.00 Ensure SPTA performed. Review collected information #1.01 to 1.09. Decide if SPTA performed. CDP Perform outstanding actions. 4.00 Confirm diagnosis of event. Review collected information #1.01 to 1.09. Decide event diagnosis is confirmed. 5.00 Control RCS inventory. Collect Pzr parameter information. PZR 1, 2, 4 Collect CVCS flow to and from RCS. CVCS 1,11 Evaluate demand for CVCS flows. CVCS 1,11 6.00 Control RCS pressure. Collect RCS pressure information. RCS 3 Evaluate against control limits. PZR5,6 7.00 Control RCS heat removal. Collect MSS flow information. MSS 5, 6 Collect SG pressure information. SG 1 Collect RCS temperature information. RCS1 Control TBS rate of steaming. MSS 5 8.00 Maintain SG inventory. Collect SG parameter information. SG 3,4 Collect MSS flow information. MSS 4, 5, 6 Evaluate demand for SG makeup. SG 3 Decide rate of feeding SG. SG 3 Decide method of feeding steam SG 3 generator. Refer to either #8.01 or 8.02. 8.01 Control Main Feedwater to Control main feedwater flow to SG. FCS1 , SGs. Collect FCS flow information. FCS1 l Evaluate against demand for SG SG 3 l makeup. 8.02 Control emergency feedwater Control emergency feedwater to SG. EFW 1 to SGs. Collect emergency feedwater flow EFW1 information. Evaluate against demand for SG SG 3 makeup. 9.00 Evaluate need for a Refer to #9.01 to 9.02. cooldown. 1 9.01 Ensure condensate reserves Collect condensate reserve parameter MUPS 1, 2 l adequate, info. l Evaluate parameters against specified RCS 1/SG 3 j limits. Decide adequacy of reserve. hywosed Desips Meredet- Human factors Engmeering Page 18,5-20 l

_. . ., _ ._ . . _ . _ _ _ _ . . .__.._. .. _. . ~ _ . _ _ ._ - 9 i l System 80+ oenian coneer Document Table 18.5.2-5 Reactar Trip Task Listing (Cont'd.) ; Task Derived freen ~ System Function , Gewss F=wia=ISubfunctions Task *=e==ent (Systan & Function #) ; 9,02 Control RCS pressure. Collect RCS pressure information. RCS 3 ; Evaluate against control limits. . PZR 5, 6 10.00 Maintain RCS parameters. Refer to #10.01 to 10.03. '! 1 10.01 Control RCS inventory. Collect Pzr p--. information. PZR 1, 2, 4 ! Collect CVCS flow to and from RCS. CVCS 1,11 i Evaluate demands for CVCS flows. CVCS 1,22 !

                     ~ 10.02  Control RCS pressure.           Collect RCS pressure information.                       RCS 3                            !

Evaluate against control limits'. PZR 5,6 ; 4 10.03 Monitor RCS parameters for Collect RCP p-_r information. RCS 4 ! Forced Cire. Collect RCS parameter information. RCS1 l Evaluate against specified limits for RCS 4 9 1 9 l I t 3 l-I d W W ^***"te! M !***we H rnee vs.s-21

System 80+ Design ControlDocument Table 18.5.2-6 Reactor Trip Task Element Listing Task Derived from Gross System Function Funct. (System & (Collect) Task Elements No. Subfunctions Task Statement Function #) Parameters to Observe 1.00 Standard Post Refer to #1.01 to 1.09. Trip Actions. 1.01 Ensure Collect NI information. RX 1 CEA position Reactor Collect CEA position CEA 4 CEA position Shutdown. Information. Reactor power (N1) Evaluate information. RX 4 Startup rate (N1) 1.02 Ensure plant Collect TG output ELEC 13.8 kV services bus feeder electrical information power Collect bus feeder ELEC DG output breaker available, information. Evaluate information. ELEC DG output breaker Collect diesel generator ELEC DG output frequency output information. Evaluate need for diesel. ELEC DG output voltage Start diesel. ELEC Turbine generator breaker position Turbine trip 1.03 Control RCS Collect Pzr parameter PZR 1, 2, 4 Charging flow inventory, information. Collect CVCS flow to CVCS 1,11 1.ctdown flow and from RCS. Evaluate d.nnands for CVCS 1,11 PLCS serpoint level CVCS flows. Pressurizer level Pressurizer level RCS subcooling Time 1.04 Control RCS Collect RCS pressure RCS 3 PPCS setpoint pressure pressure. information. Evaluate against control PZR5,6 Pressurizer pressure limits. Pressurizer pressure Time 1.05 Control core Collect RCP RCS1 RCP Amperes heat removal. information. Decide if RCPs are RCS1 RCP speed operating. RCS cold leg temperature RCS hot leg temperature O Approved Deslyn Materiel Human factors Eveneerms Page 18.5-22

System 80+ Design ControlDocumart Table 18.5.2 6 Reactor Trip Task Element Listing (Cont'd.) 1 Task Derived Gross from System Funct. Function (System (Collect) Task Elements No. Subfunctions Task Statement & Function #) Parameters to Observe 1.06 Control RCS Collect SG parameter SG 3, 5, 6 Emergency feedwater flow heat removal. information. Collect MSS flow MSS 4, 5, 6 Main feed flow . information. Collect FCS flow FCS1 Main feedpurnp speed atmosphere. Decide SG availability for RCS1 Main feedwater flow heat removal. Main steam flow RCS average temperature Steam generator level Steam generator pressure 1.07 Maintain Collect containment CNTMT1 Containment area radiation contamment parameter information. Contamment pressure integrity. Decide ifisolation is CNTMT1 Steam plant radiation required. 1.08 Control Collect containment CNTMT1 Contamment pressure

 /                contamment     parameter information.

( atmosphere Decide if additional cooling is CSS 1 Contamment temperature needed. 1.09 Control Collect Contamment H2 CGC 3 Contamment pressure containment parameter information. combustible Decide if H2 crists. CGC 3 Containment temperature gases, i 2.00 Diagnosis of Review collected info #1.01 Containment pressure event to 1.09 Containny:nt temperature Decide event. Pressurizer level Pressurizer pressure ; Steam generator level j 1 3.00 Ensure SPTA Review collected information performed #1.0 to 1.09. ! Decide if SPTA performed. CDP j Perform outstanding actions. 4.00 Confirm Review collected information diagnosis of #1.0 to 1.09> event. Decide event diagnosis is confirmed. t i v l L :.::Deekn aineenini- hmen fechws :..,- : ., Page 18.6-23

l System 80+ Design ControlDocument Table 18.5.2-6 Reactor Trip Task Element Listing (Cont'd.) l Tas'n Derived

Gross from System Funct. Function (System (Collect) Task Elements No. Subfunctions Task Statement & Function #) Parameters to Observe 5.00 Control RCS Collect Pzr parameter PZR 1, 2, 4 Pressurizer level inventory, information. Collect CVCS flow to and CVCS 1,11 from RCS. Evaluate demand for CVCS CVCS 1,11 flows. 6.00 Control RCS Collect RCS pressure RCS 3 Pressurizer pressure pressure. information. Evaluate against control PZR 5,6 limits. 7.00 Control RCS Collect MSS flow MSS 5,6 Main steam flow heat removal. information. Collect SG pressure SG 1 RCS average temperature information. Collect RCS temperature RCS1 Steam Generator pressure information. Control TBS rate of MSS 5 Turbine 1st stage steam steaming, pressure 8.00 Maintain SG Collect SG parameter SG ">,4 Steam Generator level inventory, information. Collect MSS flow MSS 4, 5, 6 information. Evaluate demand for SG SG 3 makeup. Decide rate of feeding SG. SG3 Decide method of feeding SG3 steam generator. Refer to either #8.01 or 8.02. 8.01 Control Main Control main feedwater flow FCS I Main feedwater flow Feedwater to to SG. SGs. Collect FCS flow FCS1 information. Evaluate against demand for SG 3 SG makeup. 8.02 Control Cantrol emergency feedwater EFWI Emergency feedwater flow emergency to SG. feedwater to C.)llect emergency feedwater EFW 1 SGs flow information. Evaluate against demand for SG 3 SG makeup. 9.00 Evaluate need Refer to #9.01 to 9.02. for a cooldown. Approved Design Meterut . Hurnen factors Enemoeting Page 18.S-24

i System 80+ Design ControlDocument C/ Table 18.5.2-6 Reactor Trip Task Element Listir.g (Cont'd.) Task Dedved Gross from System l Funct. Function (System (Collect) Task Elements No. Subfunctions Task Statement & Function #) Parameters to Observe . 9.01 Ensure Collect condensate reserve MUPS 1,2 Condensate storage tank : condensate parameter info. level , reserves Evaluate parameters against RCS 1/SG 3 1RWT level , adequate. specified limits. : Decide adequacy of reserve. 9.02 Control RCS Collect RCS pressure RCS 3 Pressurizer heater power pressure. information. Pressurizer pressure Evaluate against control PZR 5, 6 Pressurizer pressure limits. + t 10.00 Maintain RCS Refer to #10.01 to 10.03. parameters. I 10.01 Control RCS Collect PZR parameter PZR 1, 2, 4 Pressurizer level inventory, information. Collect CVCS flow to and CVCS 1,11 : from RCS. Evaluate demands for CVCS CVCS 1,22 flows. i 10.02 Control RCS Collect RCS pressure RCS 3 Pressurizer pressure pressure. information. Evaluate against control PZR 5, 6 limits. 10.03 Monitor RCS Collect RCP parameter RCS 4 RCP speed l parameters information. l for Forced Collect RCS parameter RCS1 RCS cold leg temperature j Circulation information. RCS hot leg temperature 1 Evaluate against specified RCS4 limits for ops. 1 I l 1 l l I J (3

%)

i

     ^-n.;    Deefpor A0enertal Mmeen Fectors E; 6.,                                        rege 18.5-25 l

1 System 80+ Design ControlDocument Table 18.5.2-7 Reactor Trip Collect Information Gross Function Parameter to Observe Observation to Make No. 1.01 CEA position Observe to determine position of CEA in core / fuel. 1.01 CEA position Observe for CEA bottomed position. 1.01 Reactor Power (NI) Observe nuclear instrumentation for decay value (indication that reactor is shutting down). 1.01 Startup Pe (NI) Observe nuclear instrumentation for negative rate of change. 1.02 13.8 kV Services Bus fealer Observe for closed breaker. 1.02 DG output breaker if DG is off, observe for open position. 1.02 DG output breaker if DG is running and 13.8 kV service bus is without power, observe for closed position. 1.02 DG output frequency If DG is started, observe for output voltage. 1.02 Turbine generator breaker Observe for open indication of TG output breaker. position 1.02 Turbine trip Observe for indication of Turbine Trip activated. 1.03 Charging flow Observe for PLCS demanded flow. 1.03 letdown flow Observe for PLCS demanded flow. 1.03 PLCS setpoint level Observe for comparison to pressurizer level and expected transient demand for setpoint. 1.03 Pressurizer level Observe to determine rate of inventory change. 1.03 Pressuri- .evel Observe for PLCS demanded level. 1.03 RCS subcooling Observe for indications that subcooling exists. 1.03 Time Observe to determine

rate of change *,

1.04 PPCS setpoint pressure Observe for comparison to pressurizer pressure. 1.N Pressurizer pressure Observe for PPCS demanded pressure, l .N Pressurizer pressure Observe to determine rate of change. 1.04 Time Observe to determine " rate of change" 1.05 RCP Amperes Observe for trend of current to determine if RCPs are operating (an analog value method). 1.05 RCP speed Observe to determine if RCPs are operating (an alternate - digital value method). Approved Des > Meteriel Human Factors Engineering Page 18.S-26

System 80+ Design Control Document Table 18.5.2-7 Reactor Trip Collect Information (Cont'd.) Function Parameter to Observe Observation to Make No. , 1.05 RCS cold leg temperature Observe to determme delta T between hot and cold leg temperatures for the same loop. 1.05 RCS hot leg temperature Observe to determine delta T between hot and cold leg temperatures for the same loop. 1.06 Emergency feedwater flow if actuated, observe for flow to restore SG level to nonnal band while NOT overcooling RCS. 1.06 Main feed flow Observe for reactor trip override (RTO) response (a bypass controlling flow is expected). 1.06 Main feedpump speed Observe speed decrease. 1.06 Main feedwater flow Observe for FWCS demanded flow to restore SG level without overcooling the RCS. 1.06 Main steam flow Observe for TBS demanded flow. 1.06 RCS average temperature Observe for value being maintained 1.06 Steam Generator level Observe for existence of level. 1.% Steam Generator pressure Observe for pressure above operating pressure but below SG safety relief limits. 1.07 Contamment area radiation Observe for detection of radiation above normal levels. 1.07 Containment pressure Observe for existence of pressure above normal containment atmosphere. 1.07 Steam plant radiation Observe for detection of radiation. 1.08 Containment pressure Observe for value above normal. 1.08 Containment temperature Observe for value above normal. 1.09 Containment pressure Observe for value above normal. 1.09 Contamment temperature Observe for value above normal. 2.00 Contamment pressure Observe for normal containment atmospheric conditions. 2.00 Containment temperature Observe for normal contamment atmospheric conditions. 2.00 Pressurizer Icvel Observe for transient recovered by PLCS. 2.00 Pressurizer pressure Observe for transient recovered by PPCS. r~. / 2.00 Steam Generator level Observe for transient recovered by FWCS. 5.00 Pressurizer level Observe for transient recovered by PLCS.

     ^
    .n   ::2 Deefen 80etenial. Numen Fechws Enemeerkeg                                              Page 18.5-27

System 80+ Design ControlDocument Table 18.5.2-7 Reactor Trip Collect Information (Cont'd.) h Gross Function Parameter to Observe Observation to Make No. Pressuriur pressure Observe for transient recovered by PPCS. 6.00 7.00 Main steam flow Observe for small (<5% amount of steam flow). 7.00 RCS average temperature 7.00 Steam Generator pressure 7.00 Turbine 1st stage steam pressure Steam generator level Observe for transient recovered by FWCS to 8.00 normal level. 8.01 Main feedwater flow Observe for FWCS demanded flow. Emergency feedwater flow if actuated, observe for flow to restore SG 8.02 level to normal band while NOT overcooling RCS. Emergency feedwater tank Observe to (mentally) record value for 9.01 calculation of rese ves availability. 9.01 IRWST level Observe to (mentally) record value for calculation of reserves availability 9.02 Pressuriur heater power Observe for ONIOFF conditions as PPCS demands. 9.02 Pressurint pressure Observe for changes in pressure not normal to PPCS control. 9.02 Pressurimr pressure Observe for value to make assessment of pressure condition required to make any repairs ) 10.01 Pressuriur level Observe for constant invento y. 10.02 Pressuriur pressure Observe for constant pressure. 10.03 RCP speed Observe to determine if RCPs are operating. 10.03 RCS cold leg temperature Observe to determine delta T between hot and cold leg temperatures for the same loop. 10.03 RCS hot leg temperature Observe to determine delta T between hot and cold leg temperatures for the same loop. O Atyveved Design Motonial Human Factors Engmeenug Page 18.5-28

l Sy tem 80+ Deslan control Document s s Table 18.5.2-8 List of Analyzed RCS Parameters Parameter Pressurizer Level Pressurizer Pressure Pressurizer Spray Flow RCP 1 A Differential Pressure RCP IB Differential Pressure RCP 2A Differential Pressure RCP 2B Differential Pressure RCP 1 A Speed RCP IB Speed RCP 2A Speed RCP 2B Speed RCP Amperes RCP Bleedoff Flow RCP Motor Temperature RCP Operating Status ! l RCP Seal Stage Pressure (s) { l RCP Seal Stage Temperatures RCS Average Temperature ) RCS Boron Concentration RCS Cold leg Temperature RCS Hot leg Temperature RCS Subcooling Reactor Vessel Level n ANwed Dee&n hind . Manon fecpers Enpeeerky page 1g.5 29

System 80+ Design control Document Table 18.5.2-9 Pressurizer Pressure Parameter Uses h Cross Function No. Event Observation to Make 6.00 SGTR Observe pressure and rate of pressure decrease to (1300 psia or required worst case event SI and RCP setpoints). 23.02 i LOCA-1 Observe for value "close* to hot standby. 18.03 SGTR Observe to (mentally) record RCS pressure. 33.03 LOCA-1 Observe for value at or above specified pressure. 24.00 SGTR Observe for decreasing pressure. 31.00 SGTR Observe to record RCS pressure below SIT isolation setpoint. 22.02 LOCA-1 Observe for decreasing value. 10.02 Rx Trip Observe for constant pressure. 9.02 Rx Trip Observe for value to make assessment of pressure condition required to make any repairs. 6.00 Rx Trip Observe for transient recovered by PPCS. 2.00 SGTR Observe pressure decreasing at rate greater than heater capacity can makeup (i.e., ' noticeable rate"). 1.04 Rx Trip Observe to determine rate of change. 17.01 SGTR Observe to (mentally) record RCS pressure. 21.00 LOCA-1 Observe to determine rate of change. 29.00 LOCA-1 Observe for dropping pressure. 25.01 SGTR Observe for value to compare with P-T limits. 29.01 LOCA1 Observe for value to calculate core subcooling. 21.00 LOCA-1 Observe to determine rate of change. 36.00 LOCA-1 Observe for value at or below specific pressure during depressurization and cooldown. 9.02 Rx Trip Observe for changes in pressure not normal to PPCS control. 1.04 SGTR Observe to determine rate of change. 33.02 LOCA-1 Observe for value at or above specified pressure during depressurization. 2.00 Rx Trip Observe for transient recovered by PPCS. 25.02 LOCA-1 Observe to detect excessive rate of change. 22.01 LOCA-1 Observe for value to compare with P T limits. 37.00 LOCA-1 Observe for changes in pressure that are LESS than expected. 1.04 Rx Trip Observe for PPCS demanded pressure. 20.00 LOCA-1 Observe to (mentally) record value for assessment of charging flow to RCS. 8.02 SGTR Observe for comparison to RCP operating limits. 4 proved Design Meterial Human factors Ly =.' g see 18.6-30

System 80+ Deskn controlDocument

     =                                                                                                               ;

I C Table 18.5.2 9 Pressurizer Pressure Parameter Uses (Cont'd.) Groes Fumetion No. Event Observation to Make 4 22.05 LOCA-1 Observe for value to compare to HPSI header pressure. 25.01 LOCA1 Observe for value. 19.04 SGTR Observe for pressure being rnaintained. 21.01 IDCA-1 Observe to compare to HPSI beader pressure. 17.03 SGTR Observe for a decreasing pressure. 23.03 LOCA-1 Observe for rate of change. 34.00 LOCA1 Observe for value at or above specific pressure during depressurization and cooldown. 24.04 LOCA-1 Observe for value for calculation of subcooling. 34.03 SGTR Observe to confirm changes in pressure due to initiated actions. O i i I l

                                                                                                                 . .l (Of Anvend Deekpr Mosend- Numerr Factors EM                                                    pagerg.53r l

System 80+ Design ControlDocument Table 18.5.2-10 Parameter Summary for Pressurizer Pressure Summary of Usage Operator Prom ds Allocation Notes Relief Valve Open Automatic fli Press Deviatim Automatic Normal Pressure Automatic Im Press Deviatic Automatic SI Block Enable Window to Actuate SIAS Block for Cooldown SI Actuation Automatic Trip RCPs T2/L2 EOP Strategy RCP Restart Pressure Permit On Increasing Pressure Trip all RCPs On Decreasing Pressure Isolate SIT During Controlled Cooldown Only on Decreasing Pressure Unisolate LTOP On Decreasing Temperature During Controlled SCS Entry Cooldown & Depressurization O Anarosed Desipts atetene! Human factors Engmem9 Page 18.5-32

System 80+ Desivo ControlDocument / 4 V Table 18.5.2-11 Pressurizer Pressure Characteristics Type Characteristics Rationale Gross Function Prompt - SI Actuation Display Status A pressure point is needed to determine that SI actuation is necessary for EOP events with a loss of pressure / inventory control. The operator uses this to verify actuation of SI. If proper actuation has not occurred this information prompts manual actuation. Range Actuate SI/Off See rationale for status above. Accuracy N/A Display accuracy for a status is ambiguous therefore no requirement is specified. Units On/Off Units for an operater prompt or annunciator (on/off represents no specific unit requirements). Gross Function Prompt = RCP Trip Display Status A pressure point is needed to determine when to implement the trip 2/ leave 2 RCP operating strategy for EOP events with a loss of pressure / inventory control (also for trip 4 when below RCP operating limits).

  )     Range                       Trip RCPs/Off        See rationale for status above.

Accuracy N/A Display accuracy for a status is ambiguous therefore no l requirement is specified. Units On/Off Units for an operator prompt or annunciator (on/off l represents no specific unit requirements). Gross Function Prompt = Pressure Temperature Tech Spec Limitations Display Value A value is needed to assess the parameter to compare with P-T limitations. Range 485 to 2485 These high and low values are consistent with the pressure constraints of the 'P-T curve supplied with C-E plants. j 1 Accuracy i 100 Typical P-T graph resolution. Comparisons can be made l assuming a display accuracy not significantly greater than i the reading resolution (60-80) psi. Units psig Units for a pressurized fluid system operated at elevated temperatures. PSIG are the appropriate units to determine subcooling of a system's fluid. Units of PSIG are consistent with pressure instrumentation throughout the i plant. I l f% i ) 1 v I Alyum'ed Deshpn Meterial. Human Factors Enphoering Page 18.5-33

Design ControlDocurnent Systg 80+ Table 18.5.2-11 Prescurizer Pressure Characteristics (Cont'd.) Type Characteristics Rationale Grms Function Prompt = RHR Operation (Shutdown Cooling System Operation) Display Value A value is needed to assess the parameter to compare with constraints or limits of RHR operation. Range 0 to 885 The high value is the minimum pressure for SDC entry (System 80+). The low is a nummum to monitor refueling operations entry. (approx. atmospheric) Accuracy 15 To be able to determine if depressurized or if change in pressure has occurred to approach LTOP. Units psig Units for a pressurized fluid system operated at elevated temperatures. PSIG are the appropriate units to determine subcooling of a system's fluid. Units of PSIG are consistent with pressure instrumentation throughout the plant. Gross Function Prompt = Standard Post-Trip Actions Display Trend A pressure trend supports diagnostics and assessment of plant transient conditions. Range 485 - 2485 lo w range: below SI tank pressure (LOCA large break). High range: safety or PORV relief setpoint (ATWS/LOCA). Accuracy i 100 Based on transient rates of pressure (-600 psi / min (LOCA); -650 psi / min (SGTR); and -400 psi / min (RT) and the application accuracy for diagnostics is not as important as the ability to determine the parameter's characteristic trend or changes. Units psig Units for a pressunzed fluid system operated at elevated temperatures. PSIG are the appropriate units to determine subcooling of a system's fluid. Units of PSIG are consistent with pressure instrumentation throughout the plant. O Approved Design Material. Human factors Engirseering Page 18.5-34

h System 80+ oeskn controlDocument O L' Table 18.5.2-11 Pressurizer Pressure Characteristics (Cont'd.) Type Characteristics Rationale Gross Function Prornpt = Margin of Subcooling , Display Value A value is needed to assess the parameter as compared with saturation conditions. The intent is to ensure subcooled liquid is available to transfer mass (fluid mass) for heat removal. Range 0 - 1985 T, is approx. 615'F which corresponds to approx.1585 psig as a high saturation pressure without pressurizer control (IDCA, SGTR, etc.) to Hi Pzr Pressures of approx. 2385 psig (Hi relief pressure). A low T is approx. 500*F which corresponds to approx. 665 psig an assumed low for LOCA & SGTR. From norm,al operating pressure this yields a margin of pressure equivalent to aprox.1585 psig. 1 MSLB approx. 400'F and 235 psig or 1985 psig subcooled. Accuracy i 70 To be able to determine if subcooling exists or does not exist in the fluid remammg. Assume the relation: 7 psi /'F l O and t 10*F. I Units psig Use of units need to be consistent with the normal measures subcooled of pressure (i.e., pressurized subcooled system at high temperatures using psig). l O l V Amo w u.e-w os n-,r a-. em, r.,.1a.s.ss

System 80+ Design ControlDocument Table 18.S.2-12 Reactor Trip Time Profile Number Strategy Time into Time allotment Processing of Correction Element event Parameter to for informationI33 Times Control Factor No. (minutes) Observe (minutes) (msec) Actions (sec) 1.01 0.00 CEA position 0.50 380 1.0 1.01 0.00 CEA position 0.50 248 0.5 1.01 0.00 Reactor Power 0.50 450(4) 2.5 (NI) 1.01 0.00 Startup Rate 0.50 310(4) 2.5 (NI) 1.02 0.00 Turbine 0.50 248 1.0 Generator Breaker Position 1.02 0.00 Turbine Trip 0.50 248 1.0 1.03 0.00 Time 0.00 380 1.0 1.04 0.00 Time 0.00 380 1.0 0.00 Pressurizer 0.50 380 1.0 1.04 Pressure 1.05 0.00 RCP Amperes 0.00 310+450 1.0 1.06 0.00 Emergency 0.00 450+450(2) 1.5

 !                               Feedwater Flow 1.06         0.00          Main                         0.00         248(3)                    2.0 Feedpump Speed 7.00         0.00          RCS Average                  0.00         380(2)                    1.5 Temperature 7.00         0.00          Steam                        0.00         380(2)                    1.5       -

Generator ! Pressure 7.00 0.00 Turbine 1st 0.00 380 1.0 Stage Steam Pressure 1.07 0.14 Containment 2.00 248 1.0 j Pressure i 1 1.08 0.14 Contamment 2.00 248 0.5 j Pressure 1.08 0.14 Contamment 2.00 248 0.5 Pressure 1.09 0.14 Contamment 2.00 248 0.5 Pressure 1.09 0.14 Containment 2.00 248 0.5 ; Pressure l i Approvost Design Meterial . thanen Factors Engineening Page 18.5-36

System 80+ Deslan ControlDocument G Reactor Trip Time Profile (Cont'd.) be Table 18.5.2-12 Number Strategy Time into Time allotment for of Elesment event Parameter to informationm Processing Control Correction No. (minutes) Observe (minutes) Times (msec) Actions Factor (sec) 2.00 0.14 Contamment 2.00 248 0.5 Pressure 2.00 0.14 Containment 2.00 248 0.5 Pressure 1.02 0.50 13.8 kV 0.50 248(2) 1.5 Services Bus Feeder 1.02 0.50 DG Output 0.50 248(2) 1.5 Breaker 1.02 0.50 DG Output 1.50 380(2) 1.5 Frequency 1.02 0.50 DG Output 1.50 380(2) 1.5 Voltage j 1.03 0.50 PLCS Setpoint 0.50 310+450 1.0 Ixvel 2.00 0.50 Pressurzier 2.0 310+(3sec 1.0 p Pressure calc)m 2.00 0.50 Steam 10.00 310+(2sec 1.5 Generator calc)(2) level 1.05 0.60 RCP Speed 2.50 248(4) 2.5 1.05 0.60 RCS Cold 2.50 310 +(.5s 2.5 Leg calc)(4) Temperature 1.05 0.60 RCS liot Leg 2.50 310 +(.5s 1.5 Temperature calc)(2) 1.03 1.00 Charging 0.05 380 1.0 Flow ! 1.03 1.00 Letdown Flow 0.50 380 1.0 I 1.04 1.00 PPCS Serpoint 0.50 310 1.0 l Pressure l 1.06 1.00 Main Feed 0.50 380(2) 1.5 Flow 1.06 1.00 Main 0.50 450(2) 1.5 Feedwater i Flow 1.06 1.00 Steam 0.50 248(2) 1.5 1 Generator l O Level ! l won' Design neeserie! Nwnen facters Engmeering Page 18.5-37

I i System 80+ Design ControlDocument j Table 18.5.2-12 Reactor Trip Time Profile (Cont'd.) Number Strategy Time into Time allotment for of Element event Parameter to informationlll Processing Control Correction No. (minutes) Observe (minutes) Times (msec) Actions Factor (sec) 1.06 1.00 Steam 0.50 380(2) 1.5 Generator Pressure 1.07 1.00 Steam Plant 0.50 248 1.0 Radiation 1.04 1.20 Pressurizer 0.50 310 1.0 Pressure 1.03 1.33 Pressurizer 2.50 380 1.0 level 1.03 1.33 Pressurizer 2.50 310 0.5 level 2.00 1.33 Pressurizer 2.50 450 0.5 level 1.02 1.50 DG Output 1.5 380(2) 1.5 Breaker 1.03 1.50 RCS 1.50 248 1.0 . Subcooling 1.06 2.00 Main Steam 0.50 380(4) 2.5 Flow 5.00 2.00 Pressurizer 6.50 310 1.0 level 1.06 2.50 RCS Average 0.50 380(2) 1.5 Temperature 6.00 2.50 Pressurizer 0.50 310 1.0 Pressure 1.07 3.00 Containment 2.00 248 1.0 Area Radiation 7.00 3.50 Main Steam 10.00 380(4) 2.5 Flow 10.03 3.50 RCP Speed 10.00 248(4) 2.5 10.03 3.50 RCS Cold 10.00 310+(.5s 2.5 Leg calc)(4) Temperature 10.03 3.50 RCS Hot Leg 10.00 310 +(.5a 1.5 Temperature calc)(2) 9.02 7.60 Pressunzer 2.00 380 1.0 heater Power 9.02 7,60 Pressurizer 2.00 310 1.0 Pressure Approved Design Materiel Human factors Engboering Page 18.5-38

i System 80+ Deskn ControlDocument (~h V Table 18.5.2-12 Reactor Trip Time Profile (Cont'd.) Number Strategy Time into Time allotment for of Element event Parameter to infonnation!81 Processing Control Correction ; No. (minutes) Observe (minutes) Times (msec) Actions Factor (sec) 9.02 7.60 Pressurizer 2.00 450 0.5 Pressure 8.00 10.00 Steam 5.00 310(2) 1.5 Generator level 8.01 10.00 Main 0.50 380(2) 1.5 Feedwater Flow 8.02 10.00 Emergency 2.50 450+380(2) 1.5 , l Feedwater Flow 9.01 20.00 Condensate 15.00 310 +(.5s 1.5 Storage Tank calc)(2) ; level 9.01 20.00 1RWST level 15.00 310 +(.5s 1.0 calc) j 10.01 20.00 Pressurizer 10.00 310 1.0 g. level 10.02 20.00 Pressurizer 10.00 310 1.0 4 Pressure I i l 1 1 4 i Notes e I'l A *0.00* value indicates that the time constraint for that element is indeterminable or does not exist. These are included in the cognitive loading. 121 Added 3 seconds to account for operator calculations not previously considered in analysis. I

      % :. Design Asetenief Human Factors Engroewkog                                                              page 1g,549

System 80+ Design ControlDocument Table 18,5.4-1 MCR Minimum Inventory of Fixed Position Annunciators, Displays and Controls h Parameter Description AnnunciatorsH3 Displays Controls Offsite Bus voltage status X 120 VAC Vital load center voltage status X X 125 VDC Vital load center voltage status X X 24 KV Main Turbit.e Generator output breaker position X X X 4.16 KV Class 1E bus breaker positions (supply & X X crossover) 4.16 KV Class 1E voltage status X X 4.16 KV Dierel Generator output breaker position X X X X 4.16 KV Diesel Generator start control 4.16 KV Diesel Gertrator synchroscope X X 4.16 KV Reserve Aux Xfmr output voltage status X 480 VAC Class IE voltage status X X Annulus ventilation control setpoint X X Annulus ventilation damper position X X X X Annulus ventilation fan on/off Atmospheric dump valve position X X CEA position X CET temperature Xt2J CIAS actuation X X CIAS success monitor X Xt21 CCW HX inlet valve position X X CCW HX outlet valve position X X CCW IIX outlet flow X CCW pumps on/off X X CCW surEe tank level X Containment hydrogen level (when analyzer is in X Xt21 operation) Containment pressure X Xt21 Containment radiation X Xt21 CSAS actuation X X Containment Spray flow X Containment Spray pump on/off X X Containment Spray pump discharge valve position X X Approved Desiger Material- Human Factors Engbroerirsg Page 18.540

l

System 80+ Design ControlDocument r k Table 18.5.4-1 MCR Minhuum Inventory of Fixed Position Annunciators, Displays and Controls (Cont'd.) Parameter Description Annunciatorst1 Displays Controls Containment temperature X X DVI valve position X X EFAS actuation X X EFW flow control valve position X X EFW header flow X EFW motor-driven pump on/off X X EFW pump suction pressure X EFW steam-driven pump on/off X X EFW-to-SG isolation valve position X X EFW Storage Tank level X Xt21 Hot Leg injection valve position X X IRWST level X Main Control Room HVAC isolation dampers X X l 0 Q Main Steam radiation (area monitors & line X l j monitors) Main Steam safety valve position X SG safety valve position X MSIS actuation X X X Nuclear Annex building ventilatian radiation X Primary Coolant Radiation X Xt21 PZR Backup Heaters on/off X X PZR level X Xt2) PZR Pressure X Xt2) J Rapid Depressurization valve position X X RCP on/off X X RCS Cold leg temperature Xt2) RCS Hot leg temperature Xtz) RCS pressure Xt2) RCS subcooling margin X Xtti Reactor Building subsphere ventilation radiation X Reactor Cavity level X Xt21 p Reactor Coolant gas vent valve position X X h Reactor power (NO X)t2 Reactor Trip (RPS) X X Approved Design AcetwW Human factors Engeseermg Page 18.5-41

Sy0 tem 80+ Design Control Document Table 18.5.4-1 MCR Minimum Inventory of Fixed Position Annunciators, Displays and Controls (Cont'd.) Parameter Description AnnunciatorsW Displays Controls Reactor Vessel level X Xm SCS flow (while SCS is in operation) X X SCS isolation valve position (& LTOP) X X X SCS IIX Bypass Valve position X X SCS HX CCW supply / isolation valve position X X SCS HX Bypass Inlet & Outlet temperature (when X SCS is in operation) SCS HX outlet valve position X X SCS pump on/off X X SCS/ CSS pump suction cross-connect valve X X position SCS/ CSS pump discharge cross <onnect valve X X position SIAS actuation X X SI flow X SI pump on/off X X Si throttling isolation valve position X X Spent Fuel Pool level X Startup Rate (NI) X CCW HX station service water inlet isolation X X valve position CCW HX station service water outlet isolation X X valve position CCW HX station service water outlet f'ow X SSW pump on/off X X SG Blowdown sample radiation X SG level X Xt2) SG pressure X Xm Vacuum Pump Activity X Turbine Trip X X l l Notes: Ill Annunciators are alarms and other alerting displays designed to direct operator attention. I21 Reg. Guide 1.97 Category 1 instrumentation. I l Approwd Des > Meterial Hurnen Factors Engineerktg Page 18.542 j l _. \

System 80+ Design ContmlDocument

 /i V    18.6 Control Room Configuration The Nuplex 80+ control room configuration m3 developed through an evolutionary process beginmng with the Nuplex 80 reference design configuration. Considerations influencing the design included new plant system configurations for System 80+, post-TMI indication requirements, improved methods of alarm and display and the application of current human factors criteria and methods. The following sections document the Nuplex 80+ operational requirements, relevant human factors criteria, evaluation of configuration candidates, and design of the selected Nuplex 80+ control room configuration.

18.6.1 Definition of Configuration Terms The discussion in this section employs the following definitions relating to the Advanced Control Complex: e Controlling workspace The area between and including the control panels from which plant monitoring and control actions are taken, e Control room The entire area of the room containing the controlling workspace, including operations and administrative offices and storage rooms (e.g., Document Room). (s e Advanced Control Complex The Advanced Control Complex includes the following control facilities and the I&C systems and equipment located within them:

1. Control Room

2. Remote Shutdown Room

3. Computer Room

4. Technical Support Center

5. Vital Inst. & Equipment Rooms (A,B,C,D)

6. Non-Essential Electrical Equipment Rooms (X,Y)

7. Miscellaneous I&C equipment and systems located throughout the plant.

18.6.2 Operational Requimnents and Stamng Design Bases 18.6.2.1 Operational Requimnents r '('#3 As a precursor to developing and evaluating candidate control room configurations, a set of Nuplex 80+ operational requirements were established. The purpose of these requirements was to identify the desired and necessary operational features and the significant constraints on the configuration design relating to Anwood w noneww.maar runws Eno eenne n rose 1a.ss

System 80+ Deskn Control Document plant operation. The requirements were generated from a variety of sources. Some were based on industry requirements for future plants (e.g., supporting one person operation between hot standby and full power). Another set of requirements was generated from experience based problems, such as limiting access to the controlling workspace, and overview display visibility. A final set were related to licensing issues. This included the Regulatory Guide 1.97 criterion to integrate displays such that those used during normal operation are also used during accident mitigation. Recent NRC concerns with respect to sabotage are addressed. These requirements have been incorporated into the Nuplex 80+ design bases and are presented in Section 18.3.2, primarily as the control room staffing and configuration design bases. Some operational requirements affecting the configurations are found in the control panel, and information presentation and control design bases. The operational requirements, along with the human factors criteria presented in the next section, were used as the basis to evaluate each candidate configuration design. 18.6.2.2 flStaffing Assumptions The Nuplex 80+ control room is designed toprovide operationalflexibility to accommodate a side range of control room stafng requirements. A target operating staf was established to allow design and validation of the advanced control complex. The stagng target is indicated below with typical NRC qualifications shown: Number Position Title Qualification 1 Shift Supenisor (SS) SRO 1 Control Room Supenisor (CRS) SRO 3 Assistant Reactor Operators (ARO) RO 1 Shift Technical Advisor (STA) 2 Nuclear Equipment Operators (NEO)}}' 18.6.3 Workspace and Configuration Human Engineering Criteria The development and evaluation of control room configurations also requires a comprehensive set of human engineering criteria related to workspace design. Workspace and configuration criteria for Nuplex 80+ are based on requirements defined in the Human Factors Engineering Standards Guidelines and Bases (HFESGB) for System 80+ (Reference 1). Specific configuration criteria utilized for design of the Nuplex 80+ ACC are listed below:

All standup panels in Nuplex 80+ conform to HFESGB anthropometric guidelines.
All sitdown panels in Nuplex 80+ conform to HFESGB anthropometric guidelines.
At sitdown panel work stations, an operator is able to access all information and controls for all actions that occur in a sequence.

I NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction Section 3.5. Approved Desigrs Materie! Human Factors Engirseerusg Page 18.6-2

System 80+ Design ControlDocwnent , 6 o In the controlling work space, operators have proper line of sight to all information and controls relating to a task in accordance with HFESGB requirements. , t e Operators are able to integrate and associate information and controls across workstations. - o Adequate work surface (lay down space) is provided at, or near, controlling workspace consoles j for procedures, schematics and other documents without interfering with display viewing or control manipulation. 4 o All desks and chairs in control room are designed in accordance with HFESGB guidelines for usability and comfort. ; e Chairs provided for sit down panels have roller wheels for easy movement across the workstation.

Operators have unimpeded physical access from one workstation in the configuration to another.

e Adequate passage way between consoles and other work areas in the configuration is provided. , t e No obstacles (steps, file' cabinets and so forth) are located between SS and CRS workspace and the controlling work space to ensure safe, and timely movement to control area. o An observation area is provided to permit viewing of control room operations while limiting non- , essential access and movement in the control room. o Designated work space is provided for the Shift Supervisor and Control Room Supervisor, with unimpeded visual access to a status overview board and the controlling workspace. e Adequate storage is provided for reference documents and drawings at a readily accessible location. e Accommodations such as storage for equipment and supplies is provided for personnel who work in the control room on a periodic basis. 18.6.4 Candidate Configuration Evaluation 18.6.4.1 Reference Design Configuration The Nuplex 80+ ACC design has evolved from the Nuplex 80 ACC design developed for the TVA Yellow Creek units. The 1980 reference design used as the starting point for the Nuplex 80+ 4 configuration evaluation is shown in Figure 18.6.4-1. The Nuplex 80 panels were divided into two groups; the Master Control Console (MCC) consisting of panels B1-B7 and the Auxiliary Control and Safety Center (ACSC) encompassing panels DO-D7. The MCC was designed for normal startup, power operation and shutdown. The MCC panels were designed as sitdown panels. The ACSC provided i -' control room functions related to accident mitigation and auxiliary operations. The safety center panels

        - provided all safety grade indications and controls necessary for effectively coping with accidents requiring PPS initiation, monitoring or control. The auxiliary control panels wee used for infrequently performed

. . -. actions such as plant heatup and cooldown. The ACSC panels were dwigned as standup panels. ;

System 80+ Design controlDocument 18.6.4.2 Reference Design Evaluation Results The first phase of the configuration development process evaluated the TVA Nuplex 80 reference design configuration with respect to the operational requirements and Human Factors Engineering (HFE) criteria identified previously. The following design considerations did not meet the Nuplex 80+ criteria:

There was no workstation for a control room supervisor.
Normal and accident monitoring displays were distinctly separated, with the safety indications and controls being used only for accident conditions. This required the operator to use indications and controls during accident mitigation which he was less familiar with than those used on a day to day basis.
The configuration provided little possibility of allowing visibility into the control room from shift supervisor and control foom supervisor offices.
The configuration had no location for a " big board" overview display which would be visible from all control panels.
Specific operational concerns were identified relating to the use of auxiliary feedwater, atmospheric dump and turbine bypass systems during startup and shutdown sequences, due to the location of indications and controls. The above systems are closely related to the steam generator response but were located on the ACSC with the steam generator indication being on the MCC.
Specific operational concerns during accident conditions were identified relating to coordinating the use of normal controls on the MCC and safety controls on the ACSC, given the significant physical separation. In addition, indications required for verifying post-trip response were separated by significant physical distances.

18.6.4.3 Candidate Configurations and Evaluations in response to the concerns with the Nuplex 80 reference design configuration, alternate configurations for the ACC were deve:oped and evaluated. The following paragraphs discuss the various configurations which were evaluated. A simple alternate strategy, to primarily address operational concerns, was to provide duplicate indication and control on the MCC and ACSC for selected equipment. This would includ: loca:ing RCP controls, pressurizer spray controls and turbine bypass comrols on the ACSC. Major drawbacks of this approach are the resulting increase in panel size (and therefore cost) and the need to design control systems with the ability to be actuated from two locations. Another weak point is the failure to improve the integration of normal and post-accident displays. A more comprehensive alternative was developed based on reconfiguring the Nuplex 80+ panels to reduce the physical separation between the MCC and selected ACSC panels. This approach split the safety center panels into primary system and secondary system indications and controls and placed them 1 adjacent to the RCS and turbine MCC panels respectively. Essentially all safety instrumentation was integrated into the MCC leaving only auxiliary indications and controls on the ACSC. Figure 18.6.4-2 depicts the changes to the Nuplex 80 configuration based on this approach. This approach eliminated most of the operational concerns with the reference design configurations without requiring duplication of indications and controls. This approach would allow operators to use the same indications and controls Approved Design nieterial Human Factors Engbeering Page 18.6-4

i Sy-M 80 + oesian conoof Document i during an accident as they use normally. Drawbacks to this approach include the significant increase in ' MCC size which would require two operators for startup and shutdown evolutions. This arrangement ~ did not address the need for a CRS workstation or visibility into the controlling workspace from control

               ' room offices.

A further revision took the key features of the above two approaches to develop a hybrid Nuplex 80 ! control room using both panel relocation and. control and indication duplication. The resulting ~ configuration is shown in Figure 18.6.4-3. This configuration would have likely facilitated one person operation of the MCC. However, it still did not address the CRS workstation and visibility concerns. ' 9 l'

The next configuration focussed on n ;wc-. dating a control room supervisor's workstation and visibility into the controlling workspace from control room offices. An initial approach was to reconfigure the Nuplex 80 panels from the previous step into a horse-shoe arrangement while keeping the organizati

- ' of the MCC intact. This approach is shown in Figure 18.6.4-4. This configuration has the advantage of both accomnxxisting a control room supervisor's workstation and allowing visibility into the i controlling workspace It also allowed visibility of an overview display from the control room offices. This approach also addresses the operability concerns noted earlier. The major drawback of this appro

'                was that the horseshoe configuration required complete redesign of the MCC panels due of the new viewing angles introduced. MCC viewing angles had previously been optimized for the TVA reference design. Scoping investigations indicated that it would be difficult to incorporate the optimum viewing angles into the horseshoe design. Another drawback of the horseshoe configuration was the significa increase in the dimensions of the controlling workspace.

b The next configuration evaluated for the Nuplex 80 + control room was developed by keeping the original V MCC design and dividing the ACSC physically into two sections. This resulted in separate consoles for the safety center and the auxiliary controls, separated by the contrei room supervisor's console. This configuration addressed both the need for the control recta *Tervisor workstation and the required visibility into the controlling workspace. It also provided a location (above the MCC) for a plant ;

overview board that was visible from all locations. Operational concerns were addressed by moving a l small set of indications and controls to the MCC as discussed in earlier candidate configurations. This configuration is shown in Figure 18.6.5-1. After evaluation of this configuration and some minor refinements it was selected as the Nuplex 80+ control room configuration. The configuration is - described in detail in the next section. i 18.6.5 Nuplex 80+ Control Room Configuration The configuration development process discussed in the previous section resulted in the Nuplex 80+ control room configuration typified in Figure 18.6.5-1. The primary operational areas of this control room are the MCC, ACSC, CRS console and personnel offices. The function and characteristics of each of these operational areas is discussed in this section. Important human factors engineering considerations j relating to workspace design are also discussed. These include workspace visibility, mobility, access, operator furnishings, and console profiles. Note that for this design the ACSC has been renamed the

                    " Auxiliary Console and Safety Console" (previously the Auxiliary Control and Safety Center). This reflects the division between these panel groups and the autonomy of each.

I Master Control Console (MCC) l 18.6.5.1 , The Nuplex 80+ MCC is a console designed primarily for performance of operator functions during normal operation of the System 80+ plant. It has been designed specifically to permit performance of all monitoring and control tasks associated with maneuvering between hot standby and full power by a rose re.e-s Anwed anon anuuw.mmen renus awkew*w i

I Sy^ tem 80 + Des &n ControlDocument single operator. This includes all systems and equipment required for startup, shutdown, power maneuvers and standard post trip actions following a reactor trip. The MCC also provides monitoring ; and control capabjlity for the MCC systems and equipment related to plant operation during heatup, I cooldown, refueling and post-accident conditions. The MCC supports monitoring of critical functions l and success paths during post-accident conditions. The MCC also provides investment protection j monitoring and control capability for key components. The high level organization of the MCC control panels is based on major plant systems. The primary reason for selecting a systems approach to control panel organization was that controls are typically actuated on a system or subsystem basis. A systems oriented high level approach facilitates effective control of the plant. To support the operator's functional cognitive model, indication and controls on individual panels are grouped by operational function. This approach was extended to the remainder of the control panels. The alternative to a systems panel design approach is a functiorel control panel organization. The primary benefit of viewing a nuclear plant functionally is for put monitoring and the accurate determination of the actual plant condition. In Nuplex 80+ the functional needs of the operator are met by the Integrated Process Status Overview (IPSO), which helps bridge the gap between functions and plant systems, the high level display pages, and the critical function monitoring and success path monitoring application programs of the Data Processing System (DPS). Through these programs sufficient critical function information is provided to meet the operator's functional information needs under any plant condition. These programs also satisfy Safety Parameter Display System (SPDS) requirements as an integrated part of the information hierarchy. This is discussed further in Section 18.7.1. The MCC is divided into two sections relating to NSSS and BOP systems. The functions of each section are assigned to control panels based on the functional task analysis and plant operations experience. Panels and panel sections are arranged at the MCC based on the frequency of their use. Functions performed most frequently are placed toward the center of the console. The MCC design is a five-panel console organized as shown on Figure 18.6.5-2. NSSS panels are provided for functions relating to the RCS (including RCPs), CVCS and plant monitoring and control. BOP panels are provided for feedwater and condensate and the turbine / generator. The panel layouts, including indication and controls for each panel, are provided in Section 18.7. Note that the IPSO display is mounted above and behind the MCC to allow its observation from throughout the controlling workspace and from the control room offices. The IPSO is not attached to nor is it part of the MCC workstation. As previously identified, the MCC is designed for one person during normal operation. However, it will comfortably accommodate up to one operator per panel section, either during normal operation, emergency operation, or other plant conditions. The MCC is designed for either standing or seated operation. A description of the panel profile is provided in Section 18.6.5.7. A chair with rollers is provided at the MCC to accommodate one person sit-down operation. The geographic location of the MCC panels is similar to that of the Nuplex 80 reference design. This takes advantage of the extensive visibility studies performed during that design process. A reconfigurable MCC mockup was used to determine optimum viewing angles at the MCC panels. O Asnproved Desbyn Atatorini. Human factors Engmeering Page 18.6-6

I Design Coneno!Doeoment Sv="n 80 + ' 1 j 18.6.5.2 Auxiliary Console and Safety Console (ACSC) The Nuplex 80+ ACSC provides indications and controls required for operator functions that are . infrequently performed. The Nuplex 80+ ACSC are two distinct functional areas for safety and auxiliary control as shown in Figure 18.6.5-1.- The safety console contmns controls and indications related primarily to post accident operation of the plant and vital auxiliary systems. l i

The auxiliary console provides indication and control for infrequently used auxiliary systems .This j includes systems used only during operating modes other than normal operation such as heat up and cooldown of the System 80+ plant. The auxiliary console also includes indications and controls for { systems relevant to normal operation but infrequently manipulated, such as the switchyard. j The safety console is orgamzed as shown on Figure 18.6.5-2. The safety monitoring panel provides : indication and control of the Plant Protection System (PPS), Core Protection Calculator System (CPCS), l ESF-Component Control System (CCS), and the Process-CCS. It also provides a single location for , monitoring Regulatory Guide 1.97 Category 1 parameters and plant radiation monitors. The Engineered l i ; { Safety Feature (ESP) panel provides indication and control for safety systems related to ESF functions. The other safety console panels provide indication and controls related to cooling water systems and ; . heating and ventilation systems of the System 80+ plant. The layout of the safety console panels is j provided in Section 18.7.4. l

J ne auxiliary console is organized as shown on Figure 18.6.5-2. The auxiliary systems are typically used in operating modes not associated with normal operation. The auxiliary console includes panels providing j indication and controls for the plant switchyard and plant electrical distribution. Another auxiliary j s

console panel provides infrequently used indications and controls for the secondary cycle related to the feedwater and condensate systems. The final auxiliary console panel provides fire protection indication j and control. The layout of auxiliary console panels is provided in Section 18.7.4. j l The ACSC panels are designed for standing operation. Both the safety console and auxiliary console l support operation by either one operator or several operators depending on the particular functions being j performed. Console profiles for the ACSC stand up panels are provided in Section 18.6.5.7. As typified l > - on Figure 18.6.5-5, desks and chairs are provided for both the auxiliary and safety consoles. These ! provide a seated workstation with visibility of the entire Auxiliary Console (AC) or Safety Console (SC) j for long-term operation using these consoles. This is further discussed in Section 18.6.5.5. l 18.6.5.3 Control Room Supervisor (CRS) Console ! - l The Nuplex 80+ control room includes a CRS console to support the activities of the CRS when that '[ person is in the controlling workspace. The CRS is responsible for coordination of control room ! operations activities. This includes coordination of heatup, cooldown, maintenance and testing activities j and operation durmg abnormal or emergency conditions. _ The CRS console is located in the controlling l workspace as typified on Figure 18.6.5-3. This allows the CRS visibility of all controlling workspace j c panels, allows him to oversee controlling workspace activities and supports verbal communication with j operators at the other three Nuplex 80+ consoles. The console location is also designed to limit access 'j ' to the controlling workspace and provides a location for controlling workspace operations personnel to ~ interface with other plant personnel without requiring entry into the controlling workspace. ; 4 k 4pment ses> assewser- manen recens eq, mea $e pay, ts.sq J i

                                                      .,        . . , , _ . - - . -                                       . ~ . _ -

l System 80+ Design ControlDocument The CRS console is designed to accommodate a maximum of two people. This provides a shift supervisor or Shift Technical Advisor (STA) a workstation in the controlling workspace simultaneously with the CRS, if desired. The CRS console meets the CRSs information needs through two DPS VDUs and visibility of the entire controlling workspace, including IPSO. There are no controls locaul at the CRS console. Communications located at this console is discussed in Section 18.6.6. 18.6.5.4 Control Room Offices The Nuplex 80+ control room provides offices for control room personnel when they are not actively participating in operations activities in the controlling workspace. This assures that the design of control room offices is integrated with the overall control room design philosophy. Provisions of the control room offices allow flexibility for utility preferences and accommodates varying plant conditions and staffing requirements. The Nuplex 80+ ACC design features three dedicated offices for the CRS, shift supervisor and a support office that provides workstations for Assistant Reactor Operators (AROs) and Nuclear Equipment Operators (NEOs). These are depicted on Figure 18.6.5-4. The offices have a set of common characteristics based on the operational requirements of the control room and HFE criteria. These include visibility into the controlling workspace from the SS and CRS offices to allow monitoring of the activities being performed there and to enhance verbal communication with the operating staff. The SS and CRS offices also provide adequate line of sight to the big board IPSO to facilitate maintaining an overview of the plant condition without leaving the office. This provides a fixed constant overview that will direct personnel in the offices to more detailed information on their DPS VDUs if necessary. The control room offices also provide easy and quick access to the controlling workspace should the operations staff require assistance. In addition to visual communication between the controlling workspace and the control room offices, direct telephone communication is also provided from the MCC and CRS console to each office. To meet information requirements, the shift supervisor and CRS offices are each equipped with a DPS VDU from which any DPS display page can be accessed including the IPSO. Unique features of each office will be discussed in the following sections. Note that the Technical Support Center (TSC) is shown on Figure 18.6.5-4. This also serves as a control room office during non-emergency situations to allow planning sessions and accommodate visitors withour control room interference. The TSC is discussed in Section 13.3. 18.6.5.4.1 Shift Supervisor's Office The shift supervisor's office is designed to allow him to coordinate activities throughout the plant and perform his normal administrative duties. To facilitate this, communication is provided to local control panels and the controlling workspace (both MCC and CRS console). Communication is also provided to external telephone service for use during emergency conditions. The office location outside the controlling workspace allows him to interface with plant personnel without interfering with operations activities within the controlling workspace. A DPS VDU is available in the shift supervisor's office. 18.6.5.4.2 CRS Office The CRS office is aligned directly with the center of the controlling workspace to maximize visibility of the controlling workspace and particularly of the MCC. This office is designed to allow the CRS to coordinate control room operations activities including testing and maintenance. Interface with plant personnel can be accomplished at his office without interfering with the controlling workspace activities. Telephone communications are provided similar to that of the shift supervisor office. A DPS VDU is available in the CRS' office. Apprend Design Material . Human factors Engmeering Page 18.6-8

System 80+ Design ControlDocument (G g 18.6.5.4.3 ARO/NEO Support Office The ARO/NEO workstation is located in a control room support office located outside the controlling workspace. It accommodates multiple individuals which include AROs, NEOs and Shift Technical Advisors (STAS). During normal operation, with one man controlling the plant at the MCC, this workspace accommodates the additional operating staff. It supports performance of documentation, surveillance testing, coordination of maintenance activities and other routine tasks. During emergency operation when multiple AROs are in the controlling workspace, the ARO/NEO workstation accommodates the STA and his activities. The ARO/NEO workstation has two DPS VDUs to provide plant information to the operating staff or STA. It has adequate desk space for documentation tasks or interface discussions. The ARO/NEO workspace also contains a video hardcopy unit and two printers for support of operation in the controlling workspace. The ARO/NEO support office is shown in Figure 18.6.5-4. 18.6.5.5 Control Room Furnishings This section describes human factors considerations related to operator furnishings within the control room. The following issues are addressed: desks, chairs, procedure storage and laydown space. The major control room furnishing features are indicated on Figure 18.6.5-5. 18.6.5.5.1 Furniture /O V The controlling workspace is provided with sufficient quantities of desks and chairs to support the intended operational staff. Two desks are provided as exemplified on Figure 18.6.5-5. The desks serve as workspace for operators in the controlling workspace but not actively performing monitoring or control actions at the panels. The desks' locations allow a line of sight to the entire controlling workspace. They also allow a seated position for monitoring either the AC or SC. This is particularly useful during long l term operations of the ACSC, as would be expected after an accident at the SC and during heatup at the AC. The desks are designed in accordance with desk dimensions required in the HFESGB. The top surface dimensions of each desk are typically 2-1/2 ft by 4 ft. The desk height conforms to HFESGB 1 standards. Chairs are provided in the controlling workspace at the MCC, desks, and at the CRS console as exemplified on Figure 18.6.5-5. Each chair is designed according to the requirements of HFESGB for seated operator stations. Chairs have adjustable heights and are on wheels to facilitate seated movement, particularly at the MCC. 18.6.5.5.2 Document Lay Down Space Adequate space for laying down procedures, manuals and other reference materials while they are in use is provided for in the Nuplex 80+ controlling workspace. This is accommodated by rolling bookcases as shown in HFESGB. Rolling bookcases are utilized as the primary source of laydown space on ACSC panels because of the increase in panel size that would be required to provide laydown space on the panels. The detriment to visibility, communication and operability is unacceptable with the larger panels. The Nuplex 80+ (V,) controlling workspace dimensions allow use of rolling bookcases without negatively impacting mobility or traffic patterns. Awemt Du&n hieswW. hmen fecews Engmewteg page 18.6-9

i System 80+ Deslan controlDocument l Laydown space for longer term analysis efforts that do not require control actions is provided at the two controlling workspace desks. 18.6.5.5.3 Reference Doctanent Storage Adequate reference document storage is provided in the Nuplex 80+ control room. Storage of frequently used procedures and manuals is provided on the rolling bookcases. Dedicated rolling bookcases are provided for the MCC, AC and SC with the frequently used procedures and manuals for each console. Permanent storage space is provided on both control room desks and at the CRS console as exemplified on Figure 18.6.5-6. Additional storge and storage of large drawings is provided outside the controlling workspace in the Document Room. This is exemplified on Figure 18.6.5-6 and is convenient to the controlling workspace and control room offices. The ARO/NEO workstation also has space designed for document storage. 18.6.5.6 Workspace Visibility, Mobility and Access 18.6.5.6.1 Visibility Evaluation Visibility permits general observation, and supports communication and coordination between operators. A visibility evaluation was performed for the Nuplex 80+ configuration to ensure that the visibility requirements identified in the operational requirements and the configuration HFE criteria were met. The visibility evaluation focused on assuring that unobstructed visual access exists among all controlling workspace consoles and from the control room offices to required locations in the control room. Visibility alone does not imply readability, or support monitoring or direct supervision tasks. Readability of panel features from required control room locations was not considered in this visibility evaluation but was considered as part of the panel design process discussed in Section 18.7. 18.6.5.6.1.1 MCC Visibility Acceptable visibility from the MCC is ensured by demonstrating that the following line of sight and visual access requirements were met. This is shown on Figure 18.6.5-7.

Adequate line of sight is provided for an operator standing at any MCC panel to view any other MCC panel.
IPSO is visible from the MCC and adequate visual angle exists in the vertical plane to permit viewing it.
Safety Console panels and key Auxiliary Console panels are visible from a central location at the MCC.
The CRS console and control room offices are visible from the MCC.

18.6.5.6.1.2 ACSC Visibility Acceptable visibility from both consoles was ensured by demon-strating that the following line of sight and visual access requirements were met at each. This is shown on Figure 18.6.5-8.

Adequate line of sight is provided from a central location at both the AC and SC to permit viewing any panel on the respective console.

Aporoved Design nieterie!- Hwnan factors En9M9 Page 18.6-10

i System 80+ Deskn ControlDocument (

Visual access is acceptable between panels of the AC and SC.
The MCC is visible from a central location at either the AC or SC.
The CRS console is visible from any ACSC panel.
IPSO is visible from any ACSC panel.

i 18.6.5.6.1.3 CRS Console Visibility Acceptable visibility is demonstrated from the CRS console by the following visual access considerations. These are shown on Figure 18.6.5-9.

All MCC and ACSC panels are visible from the CRS console.
Control room offices are visible from the CRS console.
IPSO is visible from the CRS console.

18.6.5.6.1.4 Control Room Offices Visibility Acceptable visibility is demonstrated from the CRS and shift supervisor offices by the following visual access considerations. These are also shown on Figure 18.6.5-9. O) (

Unobstructed visual access exists to the MCC from each office is provided for general observation.
IPSO is visible from each office. l

The CRS console is visible from each office. j 18.6.5.6.2 Mobility Evaluation An evaluation was performed to demonstrate that each member of the Nuplex 80+ operating staff would have adequate mobility within the controlling workspace and that circulation patterns in the controlling workspace would be facilitated efficiently. Figure 18.6.5-10 exemplifies the controlling workspace dimensions and clearances for typical operator work locations and traffic patterns. The following key mobility considerations are provided by the Nuplex 80+ configuration:

    *       . Adequate operator maneuvering space (3') is provided for seated operation at the MCC (i.e., no obstructions for 3 feet behind the operator).

Adequate operator maneuvering space (3') is provided for standing operation at either ACSC console. l i

I

Adequate operator maneuvering space (3') is provided at both controlling workspace desks.

O v w.m manaw.mmen recem t. ==.g rare rasst l

System 80+ Design ControlDocument

The following circulation patterns are accommodated by the controlling workspace without hindrance to the operators:

MCC - CRS console MCC - AC or SC AC or SC - CRS console AC - SC Control room offices to MCC Control room offices to ACSC 18.6.5.6.3 Controlling Workspace Access Evaluation The Nuplex 80+ control room is designed to accomplish two key controlling workspace access functions. First the Nuplex 80+ configuration permits rapid, direct access to the controlling workspace from any of the control room offices. This is exemplified on Figure 18.6.5-4. No hindrances are present to obstruct an operator's access to the controlling workspace. Secondly, the Nuplex 80+ configuration limits the access of plant personnel not directly involved with operation to the controlling workspace. This is facilitated by locations for interface at the CRS console, in the ARO/NEO office and at either the shift supervisors or CRSs office without entering the controlling workspace. The two controlling workspace entry points on either side of the CRS console serve as checkpoints to keep nonessential personnel out of the controlling workspace, particularly during emergency operations. The controlling workspace and control room offices are located within the boundary of a secure area. 18.6.5.7 llConsole Profiles}}' Two control panel profiles are used in the Nuplex 80+ design. ((A panelprofile to accommodate both O. seated and standing operation has been developedfor the MCC and RSP. A standing panel profile has been developedfor the ACSC. These profiles were based on anthropometric data including the 95th percentile male and the 5thpercentilefemale in the United States.))' The anthropometric data for these profiles is based on the Human Fac: ors Engineering Standards, Guidelines and Bases for System 80+ and MIL-STD-1472D (Section 18.6, References I and 2). Figures 18.6.5-11 and 18.6.5-12 exemplify the dimensions of the Nuplex 80+ profiles. The relationship of the console profiles to the placement of indications and controls is discussed in Section 18.7.2. 18.6.6 Control Room Environment and Communication This section provides the Nuplex 80+ design criteria which assure that proper HFE environmental and communication principles are incorporated into the design. The criteria assure that the controlling workspace and control room offices are in accordance with design assumptions and accepted human engineering practice. 18.6.6.1 Envirotunental Design Criteria The following are eu.Lanmental HFE criteria which the Nuplex 80+ ACC design meets: 1 NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction Section 3.5. Appetwed Design afsterial Human Factors Enghearkg Pope 18.6-12

Deeign ContralDocument Svstam 80+ ( e . Temperature

                                                                                                                                                          .j
                             . Temperature and humidity levels are ==iw=W in accordance with Human Factors                                                  j
                     -1.

Engineering Standards, Guidelines and Bases for System 80+ (HFESGB) guidelmes. j

2. Control room ventilation rates meet HFESGB guidelines.

The air conditioning, heating, cooling and ventilation systems, described in Section 9.4, are i designed to meet these criteria. l

Illumination j

1. Control room lighting design provides adequate workstation illumination in accordance with HFESGB for the tasks being performed. .

2. Lighting levels are uniform throughout a given workstation.

                    . 3.       Task area lummance ratios and reflectance levels are in accordance with HFESGB                                               {

guidelines. The type oflights chosen and placement of lighting sources minimize glare. Adequate emergency lighting is provided with automatic activation in accordance with j 4. HFESGB guidelines. The System 80 + lighting systems, described in Section 9.5.3, are designed to meet these criteria. i e Auditory Environment ! <. l c

1. Background noise levels are in accordance with HFESGB requirements. . Background noise does not impair verbal communication. j P

i

2. The Nuplex 80+ ACC supports acceptable auditory design by minimizing distances for l required communication, keeping non-operating personnel out of the controlling workspace, providing only three audible tones in the alarm system and none in other e systems and providing sound absorbing material in the control room (e.g., carpeting). t e Habitability ;

                                                                                                                                                            )
                      -1.      Adequate personal storage is provided for control room personnel.                                                        .

i

2. Adequate rest rooms, eating facilities and lounge areas are provided within easy access -i of the control room in accordance with HFESGB guidelines, j i

3. A pleasant and comfortable decor is provided through color coordination, lighting, and j comfortable seating.

4. Carpeting is provided to lessen fatigue, when standing, and to reduce ambient noise. l

( Carpeting. selected is easily maintainable, resistant to fire and conducive to easy 6 movement of roller cans and chairs. l eswesear aseen assenwen nwnen p.ees, m,hsenha espe ts.s.rs

                                                                                                                                                          .i I
           -<                                      , , -                           - . ~ , m. .   . __,,    , . . . . , . . . _ - . , _ . . .      .    .

Design ControlDocument System 80 +

5. Impact of control room features (e.g., ceiling, walls, floors, consoles and other furnishings) does not have a negative effect on ambient environmental conditions or habitability of the control room.

18.6.6.2 Communications Design Criteria Voice communication inside and outside of the control room is essential to the coordination of plant operations. Various communication devices are used to ensure efficient voice transmission in the Nuplex 80+ design. The communication system design is described in Section 9.5.2. The following design criteria ensure correct message interpretation and prompt operator response for these devices.

Both intra- and extra-control room communication are provided by the communication system.
Standard HFESGB guidelines are followed for each communication device employed.
Instructions are provided for the use of each voice communications device, including alternatives, if a specific device becomes inoperable. Instructions are co-located with each device in a readily visible area.
Space is provided on control panels in the controlling workspace for communication devices.
Multiple communications devices at a workstation are coded to indicate circuit or function.
The type and placement of communications devices is compatible with all normal and emergency tasks in plant operation.
Visual and manual access to communications devices is not obstructed by furniture or panels.

Communication devices are positioned in the control room to minimize walking.

All device cords are sufficiently long to permit mobility around a workstation.
Response frequency is within the portion of auditory spectrum for intelligible hearing as per liFESGB. Automatic gain control for receivers is provided to account for unanticipated rises in ambient noise levels.
Ringing of communication devices is only implemented where needed. Communication device ringing does not interfere with and is not masked by other control room auditory warning systems.
Communications devices are usable by personnel wearing protective gear where required.
lleadsets are designed for comfortable extended wear.
Periodic maintenance steps are performed to ensure transmission systems are working properly.
Auditory signals are clear, unamb;guous and consistent in meaning with other control room communications.
Systems used to transmit nonverbal auditory signals do not also transmit verbal communication.

Approved Des}gn Meterial- Hornen Factors Engirwering Page 18.6-14

i l System 80+ Design Control Document l l References for Section 18.6 L

1. " Human Factors Engineering Standards, Guidelines, and Bases for System 80+", ABB Combustion Engineering, Inc., NPX-IC-DR-791-02.

2. " Human Engineering Design Criteria for Military Systems, Equipment, and Facilities",

Department of Defense, Washington, D.C., MIIeSTD-1472D,1981. 4 4 0 L.. :Dee4po nieenninl- Numan Fectors H Page 18.6-15

l System 80+ Design ControlDocument t O "f" I I,

uns.3es.m g\ y

g. , um.sss.es Wes.su.ss f.e ESF Ts A

                                                           ,                 tort ger;      /"             0 6.e3
                                .. u..

Tunapses

                                           <     T           1. s(_f.or_

ser Tu 5 a re eta (. ( ~ s'.( (983 m unt PVTunt a was staa ues-su.s " I*~* j sc wra

                     .aprrun                                    s 37%ereseh o                                          Y!

w .gu.? uu.su.e tuneest g etac coot j

                                                                't                                                                   -

un.ru.e b toi *-!"-'8 tati ses? uu.tu.s uu-2u. man escu a wuf- gog a w cves G-a "; . ,u..

                        ==
                                   .                 .,                       "::.    ..e,

_i ( m$

                                                                 ,.i s su, en                                             ,                 ;

o e MAIN CONTROL ROOM ,. 4

c 4 e e & , us.2m.m war.tu.es uu.ru.r? Pittunt m unt mune tras root , f.o ei%eress4fo et'nst(was4fp g,e

i

I TVA Nuplex 80 Reference Design Figure 18.6.41 1 1 4' proved Desipt Meterial. Numerr Factors Engmeerky Page 18.616

Syrtem l'O + Design ControlDocument Aux POWER APO I^ NVIRONIENTAL DIESEL GEN gT ! CONTROL IW-9 IW-8 D . COOLING SECONDARY WATER CYCLE IW-15 IW-il SAFETY ITORI CODOARY CYCLE M IH-lO CONTROLS USED DURING Y CONTROLS AN ACCIDENT USED DURING AN ACCIDENT

          /            '\
                                 \                                                                                                       l

O SECONDARY WCC 45

SAFETY STARTUP/SNUTDOWN f PART OF g IW-13,14 NORMAL TURBINE OPERATION / g WC

                                                 ,j
                                                                          /             REACTOR COOLANT ADOED E ebE                                                    D i

(we / ONDENSAT

                                                 .,      o                 CVCS PR       Y WONITORI       Y[e U                            p PANEL SIZE REDUCED BY 1/2 u-5 g                  (DUE TO IPSO AND OUAL FUNCTION CRTS)

(NO TH CHANGES IN ALARW SYSTEM) Duplication of ACSC Control Figure 18.6.4-2 AAproved Dealgn Mosenfel Nwnen factors Enokeermy Page 18.6-17

i Systow 80 + Design controlDocument O POW R FORMER SAFETY CENTER AND CONTROLS THAT WOULO RA0!ATION BE USED INFREQUENTLY NVIRONMENTAL DIESEL GEN WONITORI OURING AN ACC10CNT IM sp CON 1ROL IACTUALLY gu.8 1"~}A. Aux!LIARY COOLING CONTROLS) SECONDARY WATEM CYCLE IW-15 IW 11 SAFETY ITORIM, ECONDART W"32 CYCLE r IW-10 J l AUXILIARY CONTROLS NEW PANEL 7,A \ SAFETY _ _ .59CS CENTER MFWS ( TFWS C0pOARY A00EDW

                           '                                                                  N N- IT STAR      / SHUT 009N
                         'TURB NE NOP adAL                                ESF TR IN B h                        OPE RATION E      E AfC CONDENSAT                                            ESF i                           TRAIN A y                                Wi-13, l

REACTOR I CVCS COOLANT SAFETY CENTER PANEL SIZE REDUCEO BY 1/2 g/g IW-2 IW-1 PLUS RON SAFETY ! b g (OUE TO IPSO AND OUAL FUNCTION CRTS) ACCIDENT i u-s I PAMEL RFunvED (NOT NEEDED s!TH CHANGES IN ALARW SYSTEW) i Hybrid Control Room (Proximity Plus Duplication) Figure 18.6.4-3 4pmM heign Meternet Humarr factors EM p ,,,gg_g,yg l

g - + ' " - k

i 8
t a F

I t y + n R [ g

r ----

a gg g g MM ,,,,,,,, x[008m8. d <

                                                                                                                           /                      ,

li -- L , { c..

SHIFT 1 - [QAxs '

                                                                                                                                                          ..' SUP.
                                                                        =                   ,,.                             _._

oe ic= O t aca N/ Qg E 3 l i S K 26' f 's" fI I * ~ seCOND LEVEL nassanese TSC ANO VICVilMG GALLERY ter , , soonnonuse y at wm a m emn. ],,, , ,,, . _ s 9 4 a. f-

          ;                                                                                                                                                                                                8 a

a _

System 80+ Design ControlDocument O ok = du TJ v-y

                                        $          Q 8C                      r ki=                                   Un
   .=

gp -- p Disk mons ms CRS CONSOL E I

             ~                                                               ~

NM KM ese , r:cottus T - - TJ," ano Ifac's E

              -                                                            w w

ro ut nr n-, d$n 1 :Pso i Nuplex 80+ Control Room Figure 18.6.5-1 Appmwed Det$ Matonial Nwnan factors Enpheerang Page 18.6-20

O O- Op.

-                                                                                                                                               tes r        9                                                                                                                                       I g

( !. 3 f Om a 1 Dis $nEkb OftfMG i i w E

                                                                                                          .A ,)

1 g [ SWITCH-g } AUXILARY YARD gg7) ESF (A31 \ , g SYSTEM SAFETY f I g PANELS RELATED INFO 3 I*dIdu* Et o

0 ' see m y COOLING [na,a CON S (A2) se i - h .I

F1

MASTER -. PR9T C- CONTROL Hvec TION I CONSOLE ' TURBINE BOF RCS (All (ASI NSSS (Mll i ' i FD WTR e INCREASING CONDENSATE CVCS INCREASING e FREQUENCY (M4) PLANT (M2) 3 A OF USE (M3) -e- - FREQUENCY OF USE h= MONITORING N g AND CONTROL ~~~~ O ' s g 5ll h PLANT LEVEL BORON k MONITORING CEA CONTROLS bw AND LOAO SETTING g g

3 e _

System 80+ Wsign CowolDocwnegf O l i i DESK l i l CourRot Roou pa) SUPERVI8oR gggy CONSOLE ; l 4 CRT , SWITCH-l YARD ,

(AT) l N CONBOLE DESK SK N CONSOLE l l SECOND- Co0UNG l ARY WATER i Ovetz (A2)

(A6) l 9

! FIRE HVAC PROTEC- WRWNE RCS (All (45) (M1) ! MA5 FEM i coNrRot CoNeou FD WTR & CVCS NI f (uI) PLANT AN Rot GRAY SHADING DEFINES l CONTROt.UNG WORKSPACE AREA l i i eso i j J l I i l 1 Naplex 80+ ControllLg Workspace Hgure 18.6.5-3 1 i Approved Desiers Materiel . Human factors Erspirwermy Page 18.6-22

System 80+ w cond oocument n !

  !V t

I g i I ~ EW ! , o4 , i I M gb I l l-w gW g

)'

I i i i 63 l l I

                 #               i'         "2

_ -_ -_ _______ ___J

                                                                                                 -SECOIC t.EVEL                   i TSC e v! EWING GALLERY DESN

_9srtTY _, g, - J CRS CON 5 OLE g,

L w= _ WA E ee $si W IW ase T est as0NITonnes Ase CowTmot I reo l Nuplex 80+ Control Room Configuration Hgure 18.6.5-4 Page 18.6-23

        .' , .... W Mosen\el. Neumns Feceers L, .

l System 80+ Design ControlDocument 9!j U ec

                      -- fi e=                    @y                 me ge           4 d$                  E ;*          :-

g-E= _

                                                                    =
     =
                          .g                                      -

p DESK 804 "6 som CRS CONSOLE escaeam p h4

                  ***                                                                   m2)
                                                                                            ~

p ONc. HVAC 12 '?,1,* 55 J-Ql 1 C 7 as0NITORING A@ CONTROL I eso l Control Room Fumishings Figure 18.6.5 Attuwswd Design Materbel. Human Factors Engineening Page 18.6-24

System 80+ Deskn Control Document O l $ l 1 = 1. I l u I w E I I I

                                        -      $W og
                                                                           )

h 1 l

                $3          l l

_ l l

       =                                                                                                            l g_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ;                                                     f SECOND LEVEL TSC e VIEWING GALLERY een CR$ CONSOLE      g, "N~"

(

_ my i 'm ar r-- ,N _

 '                                         .I                                      1...          g                          ,

l l pEoNc- Nvec

                        !=                'TJ**                                g,5
                                -l                                                            L_             J PL T MON!TORING                                                            l RNOCONTROL l   IP50 PesgL       l a

DOCUtd:NT EMERGENCY ROOM N RM SUPPLIES l Docuatent Storage Space Figure 18.6.5-6 l I W. wet Dee> nieteria! Numms focners L ,- : .' i Page 18.6-25 i i

System 80+ Design ControlDocument O D l' ;= i 5_ sw

3l i I

l l ug h l

                                                                     ^
             $d          l l

l I

    =                  -L'                         " . - - -w---------           -- a
                                                                                  -5ECOND LEVEL TSC e VIEWING
                                                                              +

CRS CONSOLE l M) i _ o

gesx otsu . w _ l c#.!? ;

1 1

                                               ~                                             ,

C Tm Q

                                                       ,::'!!A'a J

I am I ; MCC Visibility Figure 18.6.5-7 Approved Design Meteriel Human Factors Engmeeting Pope 18.6-26 I

System 80+ Design ControlDocument 5l I e I H r l lA = ! ll I i si wl'i= k I g ~l I I I ____ ___ -4 __ ___J SECOND LEVEL TSC 8 VIEWING GALLERY

DEEN g ,

sananoe Es CRS CONSOLE cm 60* , *g" ' N 's E w~ _

x\ ,,,,,

=-

77-gy .-, as- _ eam T"57 E,5 L___ i a Pyt,t E asDMITORING ne cowinai. I **so I i f) ( i ACSC Visibility Figure 18.6.5-8 l

%)

i L zved oowen asenerw - Hanen Fecsces Engummte Page 18.6-27

System 80 + Design ControlDocument O l I U I I oE = Ew M i I yb b ed l i = sc ; l I ._ l l l C "2 _ '_ J SECOND LEVEL TSC e VIEW 1MG GALLERY l / OCSM / l /

                                                            ,  ,/         .         -g 1N CRS CONSOLE
                   "                                   [ !\                                t 94
                                   ~
                                                                                              =>

N-T* TumeIM: mes Hvac in!)

duS) tut)

L_ T MONITORING AfC CONTROL l IPSO l CRS Console Visibility ngure 18.6.5-9 AMweved Desbyrs Meteriel . Humart Factors Engmeerit'9 Page 18.6-28

O O O

                         $                                                                                                                                                         I n!      -

a u 5 3 K ww e

                         #                                                                                                                                                          o
                                                                                                                                                                                    +

oesEsa?u CONTROL ROOM uo,e df,gg g endu SUPERVISOR tags g CONSOLE g SWITCH- ESF YARD 3 3, A3 M tA78 / \ 4 I : 4.2*- 9.2* = II DESK DESM c WA E tw g 14.5 (A28 l a- a-l gg. l - FIRE PROTEC- HVAC A TURBINE g (MS)

                                                               .l         ,

E FD WTR 1 CONDENSATE CVCS tM91 PLANT tu2) IM31 l MONITORING AND CONTROL g g 7 e P ll y Y

E I IPSO l I

W _

System 80+ Design ControlDocument I 1 1

                                                     .-(,
                                                }                         5'
                                                                                       ~

1 1

                                          -     +5*g 24" t

18" 1 ff 15' 4.5 "

h 18 " ; f 25" U 4" U d

26" _-

Nuplex 80+ MCC Panel Profile Figure 18.6.5-11 Sheet I of 3 Approved Design MeterW . Human factors EnghseenHg Page 18.6-30 l

1 'reim 80 + Deslan cond Document O - J l I EYE 5* - j HEIGHT 65* '[- ' 95TH N , PERCENTILE p' 52' )

MALE 48.6" ,s' STH / PERCENTILE FEMALE / 41.6* i 1 I

                                           %%s                     60*
                                             's s 's*

I I

l

                                       ,                                  ,5 5 ' ,,.            q 11        .

5 BO' 4.5 " t __. T

                                       =         18 "            :

f 25" jf 4" ; U h

                                                                      =     26"               =

l 5 Nuplex 80+ MCC Panel Pronle (Sented Operator Viewing) Mgure 18.6.5-11 Sheet 2 of 3 s Aeprovec Deepn neeenrelet. Numan Fecsers Enpheering Pege 18.641 t

System 80+ Dasign ControlDocument O I y , d s-

                                             \[3 I                                           I A.wwle .96 th pmcontile
      ' W. female . 5 th 5'%
                                                             \

l 24" l E"cewf La 40.8"$ - 35.0" as4La PG fffftLS 34.$ p PSIAALE p 15' d

                  .5-                         ,

Il c 18 " 25" If it Il

                                                                 =            26" Nuplex 80+ MCC Panel Profile (Seated Operator Reach)                         Figure 18.6.5-11 Sheet 3 of 3 Nyweved Desiger Motonin!- JAanen factors Engkwenny                                                   Page 18.6-32

i System 80+ Design ControlDocwnent J 24.40 i 37.41 .

                                                                                         <-5 Degrees                             "           !

(20.68) j 1

' 1 c ! 6 4 k9 o . O o 5 45.00* N o b x c,j o h g mj m 4 o O nn ' N i' i' Ir a 2 54.00 i 60.00 , 4 i M $b.h.hk2 Nh e V'

                                   ' TV'

i system 80+ Design ControlDocuntant O EYE + 24.4 0 -* HEIGHT

                                                                  =        37.41        =

957H PERCENTILE

~~

WALE .- PERCENT FEMALE

j g s i l^

                                          --    \      %          --

g .."

69.6 56.5 2.00 o , 45 j 72.00 g l d 51.40 34.5[ 25.00 p u u y U

                                                     =               54.00              =
                                              =                  60.00                  =

Nuplex 80+ ACSC Panel Profile (Standing Operator Viewing) Figure 18.6.5-12 Sheet 2 of 3 Approve <f Design Matenial Human factors Enghwerng Page 18.6-34

l. I

      . System 80+                                                            oesian contmioocument O                                                                                                        .
                                             *- 2 4.4 0-+                                                  ,

37.41 =

s PERCEN , Mat.E l 20.68 K i i STH PERCENTILE FEMALE , , 1 -R 35.0 H N H 1 R 25.2 1 l 4 61.8 2.00 72.00 O s1.40 i 2 4. 0 49.4 34.5ll 25.00 U u u u U

                                                 =               54.00             r
                                               =             60.00                 r
    )   Nuplex 80+ ACSC Panel Profile (Standing Operator Reach)            Figure 18.6.5-12 Sheet 3 of 3 kJ am ony uesen\er. hmart Factors Engheerksg                                              P*9018 6~35

System 80+ oestan controlDocument V) [ 18.7 Information Presentation and Panel Layout Evaluation 18.7.1 Nuplex 80+ Infonnation Presentation Safe, reliable and efficient power generation from Nuclear Steam Supply Systems is directly dependent upon rapid and accurate monitoring and control of both thermal and nuclear processes. Information to suppon operations needs to be readily available and in a format that supports the operator's information requirements. Nuplex 80+ control room information is available in a number of different formats, which are consistent with panicular operator information requirements when performing operational tasks during plant evolutions or responding to unexpected conditions. The operator can obtain plant information from a number of sources in the Nuplex 80+ control room which include:

A large plant overview status board known as the Integrated Process Status Overview (IPSO).
Alarm tiles and associated alarm message windows.
Discrete indicators, which provide critical function and success path performance indicators.
DPS display formats containing essentially all power plant information.
Component and process control indicators.

O V The information in the Nuplex 80+ control room is presented in a structured, hierarchical format to:

Organize the information in a logical and coherent manner.
Provide an arrangement that enhances the operator access of both, overview and more detailed information.

The hierarchy of information is consistently applied throughout the control room to all control panels. This makes the method of obtaining supponing, diagnostic, or overview information consistent and thus reduces the level of effon required and the probability of human error. A the isp cf the information hierarchy is the Integrated Process Status Overview (IPSO). The IPSO is a large panel centrally located display format, that presents the highest level operational concerns. The IPSO allows for a quick assessment of overall plant process performance and helps guide the operational staff to more detailed information, see Figure 18.7.1-1. IPSO also helps guide the operator to alarm tiles, discrete indicators associated with panicular workstations / control panels, or the DPS display pages accessible at any panel. The discrete indicators and alarm tiles provide direct guidance (as described in Sections 18.7.1.2.3 and 18.7.1.2.4) to support DPS information and display pages. The entire Nuplex 80 + hierarchy was developed with a consistent set of design conventions which are described in the next subsection. Subsequent sections provide details on the individual hierarchy components. Nuplex 80+ discrete indicators and panel alarm tiles are driven by the Discrete Indication and Alarm System (DIAS), whose system architecture is described in Section 7.7.1.4. DPS VDU displays are driven ho by the Data Processing System (DPS), as described in Section 7.7.1.7. The IPSO is driven by a display processor which receives data from both, DIAS and the DPS (see Section 7.7.1.5). Am on6n a***=wt thewn Factors Engkwekog Page 18.71

System 80+ Design controlDocument The Nuplex 80+ alarms and infonnation displays are designed to provide a reliable, unified yet diverse man-machine interface. High reliability is accomplished through use of redundancy and segmentation within the DIAS and DPS processing and data communications. Diversity allows continued plant operation with a failure in any of the information hierarchy elements. Diversity is accomplished by using both the DPS and DIAS to independently calculate and display the same validated process parameters and alarm conditions. The DPS independently checks the output of DIAS processors and indicates discrepancies. Failure of any display, processing or communication component of either system (including any individual VDU) does not prevent the operator from receiving all required information for plant operation. A suitability analysis established that the information capabilities of the display hierarchy supported actual performance of specific operator tasks, including the adequacy and appropriateness of the organization, content and access methods. The results of the suitability analysis is contained in the Nuplex 80+ Verification Analysis Report (Section 18.7, Reference 3). Standardized hardware is used to implement the Nuplex 80+ information presentation HSI requirements. This hardware includes switches, VDUs, and flat panel hardware that were prototyped and evaluated for suitability. ABB/CENP's response to DSER Open Item 18.8-1 (Section 18.4, Reference 11) discusses how human engineering addresses their selection and/or design. Nuplex 80+ uses standard HSI monitoring and control design features (i.e., DPS Display Hierarchy, DIAS Alarm Tile Display, DIAS Dedicated Parameter Display, DIAS Multiple Parameter Display, CCS Process Controller Display, and CCS Switch Configuration). These features and their major characteristics are described below. l[e Standard Feature: DPS Display Hierarchy The DPS Display Hierarchy is a standard Human-System Interface (HSI) feature of the Nuplex 80+ Data Processing System (DPS). The major characteristics of the DPS Display Hierarchy are asfollows:

1. De DPS Display Hierarchy is an integrated presentation of Nuplex 80+ process information.

2. De DPS Display Hierarchy provides access to displays incorporating system / component status, process parameters and annunciator status / acknowledgement.

3. Touch screen VDU devices are utilized.

4. On each display page in the DPS Display Hierarchy, a spatially dedicated message area and main menu are provided.

5. The DPS Display Hierovchypermits selectable access to any ofits displaypagesfrom any DPS terminal.

6. De DPS Display Hierarchy permits acknowledgment of Nuplex 80+ annunciators.

7. De DPS Display Hierarchy automaticallyprovides specyic alarm condition messages at the time of alarm acknowledgment.

8. The DPS Display Hierarchy is configured to conform to the System 80+ Human Factors O

Standards, Guidelines, and Bases. Approwd Design Materieh Human factors Enginenrks Page 18.7-2

System 80+ Design CorstralDocument A ; Q 9. De DPS Display Hierarchy indications are read at the panel. ; 10- De DPS VDU devices are located on the verticalpanel sections.

11. De DPS Display Hierarchy is diverse and independent of the Discrete Indication and ,

Alarm System (DIAS). e StandardFeature: DIAS Alarm Tile Display De DIAS Alarm Tile Display is a standard Heman-System Interface (HSI) feature of the Nuplex 80+ Discrete Indication and Alarm System (DMS). De major characteristics of the DIAS Alarm + Tile Displays are asfollows.

1. Software-generated alarm tiles present groups of functionally-related alarm status messages. ,

2. Touch-screen VDU devices are utilized. ,

3. On each DIAS Alarm Tile Display device, the status of alarm tiles is presented on a single alarm tile display page;for each tile, an associated alarm list page is available to present the status of the individual alarm conditions.

4. Unacknowledged alarms on a single tile are acknowledged through the display as a .

group. , b

5. Alarm condition messages are automatically provided upon alarm tile acknowledgment.

6. Alarm tiles are assigned to controlpanels by corresponding plant systems. l

7. Alarm tile display devices are located on the verticalpanel sections.

8. Alarm tiles on the alarm tile display page are spatially dedicated.

i

9. DIAS Alarm life Displays are configured to conform to the System 80+ Human Factors Standards, Guidelines, and Bases.

10. Tile details are read at its panel; tile status is visible across the controlling workspace.

11. Alarm tiles are establishedfor process parameters that provide direct indication of:

                 -        CriticalSafety Functions
                 -        Critical Power Production Functions
                 -        Success Path performance
                 -        Success Path availability m                                                                                                                          ;

l l n a o ,m ,w . w , e e , r.,. rn.7 2 i

System 80+ Design ControlDocument

               -         Damage to majcr equipment Personnel hazard.

12. Alarms are presented in one offour states: new, existing, cleared, reset.

13. Alarms are prioritized into three levels: Individual alarm tiles have the capability to indicate either the highestpriority of new or cleared alarm (i.e., N1, N2, N3, C1, C2, C3 in that order ofpriority) while continuing to indicate the highest priority existing alarm.

14. An alarm tile stopflash capability is providedfor use during situations of high alarm activity tofocus attention on new Priority 1 alarms by temporarily stopping theflashing of all other unacknowledged alarm states.

15. A momentary toneprovides an initialaudible alert of the transition of one or more alarms to new or cleared statesforpriority 1 or 2 alarms.

16. A momentary reminder tone provides a recurring audible alert if Priority 1 or 2 alarms remain unacknowledged.

17. Alarm tones emitfrom the console where the alarming display is located.

e Standard Feature: DIAS Dedicated Parameter Display The DIAS Dedicated Parameter Display is a standard Human-System Interface (HSI) feature of the Nuplex 80+ Discrete Indication arui Alarm System (DIAS). The major characteristics of the DIAS Dedicated Parameter Displays are asfollows:

1. DIAS Dedicated Parameter Displays are software-generated display representations of process parameters. Each dedicatedparameter displaypresents a single value based on redundant sensor data.

2. DIAS Dedicated Parameter Displays present validated information based on redundant sensor data. Validationfailures are indicated on the displays.

3. DIAS Dedicated Parameter Displays present spatially dedicated information.

4. A DIAS Dedicated Parameter Display permits continuous display of the individual data points.

5. DIAS Dedicated Parameter Displays incorporate automatic range changefeatures.

6. Touch-screen VDU devices are utilized.

7. DIAS Dedicated Parameter Displays are assigned to controlpanels by corresponding plant systems.

8. DIAS Dedicated Parameter Display devices are located on the vertical control panel sections.

Approwd Design Materiel Human Facters Engineering Page 185

a

,           Svstem 80+                                                                    Design ConnelDoewnent y     ,

9. DIAS Dedicated Parameter Displays _are coggured to confonn to the System 80+ ;

    -q
                              ' Human Factors Engineering Standards, Guidelines, and Bases.

10. DIAS Dedicated Parameter Display walues are read from across the Main Control Console; the Display details are read at the panel.

11. DIAS Dedicated Parameter Displays are providedfor thefollowing:

Critical Safety Functioru Success Pathperfonnance , 4

                               -               PAMIindication i
                               -               Reg. Guide 1.97.

i

12. DIAS Dedicated Parameter Displays are diverse and independent of the DPS display ;

r

                             - system.

l e Standard Feature: DIAS Multiple Parameter Display i

                    - The DIAS Multiple Parameter Display is a standard Human-System Interface (HSI) feature of the                 j 2%eplet 80+ Discrete Indication and Alarm System IDIAS). The major characteristics of the DIAS p                Multiple Parameter Displays are as follows:

i b 1. DIAS Multiple Parameter Displays are software-generated display representations of process parameters. i 2, DIAS Multiple Parameter Displays present validated information based on redundant sensor data. Vahdationfailures are indicated on the displays. l , 3

3. DIAS Multiple Parameter Displays are digital and analog representations of process ,

s parameters. i l

4. A DIAS Multiple Parameter Display permits selection of its individual data pointsfor continuous display.

5. Touch-screen VDU devices are utilized.

6. Multiple parameters are assigned to control panels and combined into common DIAS Multiple Parameter Display devices based on plant systems relationships.

7. DIAS Multiple Parameter Display devices are located on the vertical control panel i sections.

l

8. DIAS Multiple Parameter Displays are coQgured to conform to the System 80+ Human Factors Standards, Guidelines, and Bases.

l

9. . DIAS Multiple Parameter Display walues are read at the panel.

l 1 4ussososf ossen massenW. mmeses recesrs Anyheereqr Asee 78.7-5 l

System 80+ Design ControlDocument

10. DIAS Multiple Parameter Displays are diverse and independent of the DPS display system.

Standard Feature: CCS Process Controller Display De CCS Process Controller Display is a standard Human-System Interface (HSI) feature of the Nuplex 80+ Component Control Systems (CCSs). De major characteristics of the CCS Process Controller Displays are asfollows:

1. CCS Process Controller Displays are software-generated representations of process control devices and their controlled variables.

2. Touch-screen VDU devices are utilized.

3. CCS Process Controller Display devices are located on the controlpanel benchboard sections.

4. CCS Process Controller Displays conform to the System 80 + Human Factors Standards, Guidelines, and Bases.

5. CCS Process Controller Displays are read at the panel.

6. Controls are assigned to controlpanels based on plant systems, and are combined into Process Controller L)isplay devices based on sharedfunctional relatiomhips.

7. The CCS Process Controller display provides capabilityfor monitoring and control of masterloop and subloop controls by using static menu regions to select controlfunctions; selected controlfunctions are subsequently manipulated in an adjacent dynamic display region.

8. CCS Process Controller Displays permits selection of operating modes, loop control signal, and loop setpoints.

9. CCS Process Controller is a man-machine interface device only. All control loop electronics are located outside the main control room.

Standard Feature: CCS Suitch Configuration ne CCS Switch Configurations are a standard Human-System Interface (HSI) feature of the Nuplex 80+ Component Control Systems (CCSs). De major characteristics of the CCS Switch Con)igurations are asfollows:

1. CCS Switch Configurations utilize physical pushbuttons with backlit legend status ,

indicators.

2. CCS Snitch Configurationspermit on-line replacement and bumpless transfer.

3. CCS Suitch Configurations are assigned to controlpanels based on plant systems, and combined into multiple component units based onfunctional relationships.

Altvoved Design Material- Human factors Engimerms Pope 18.7 6

l l

      >> '                                                                                                                         l
           '                                                                                                                       I Systens 80+                                                                        Denian controlDocannant          j

4. ' CCS Switch Configuradon devices are located on the controlpanel benchboard sections.

5; CCS Switch Conffgurations conform to the Human Factors Engineering Standards, Guidelines, & Basesfor System 80+. CCS Switch Conffguration details are read at the panel.}}' I

6. ,

Sections 18.7.1.1 through 18.7.1.8 provide a more detailed description of these features and their associated characteristics. ] 18.7.1.1 Infonnation Pr===*=*ia= Conventions Acceptable infonnation system design utilizes consistent conventions for presenting information on all ; information presentation features. To accomplish this in Nuplex 80+, conventions for information ; display and access were developed prior to initiation of design activities. Standardization was applied ! to conventions, representational features, coding information size and organintion, labeling, alarms and

             ' information access. These display conventions are discussed in the following subsection. A significant              ;
             .'part of the Nuplex 80+ information hierarchy is based on presenting information on DPS VDU or discrete indicating displays. A comprehensive set of criteria was established to assure consistency durmg
             - creation of these displays. These criteria are an extension of the overall display conventions and are presented in Section 18.7.1.1.2.

18.7.1.1.1 * ,-

                                        +- ' Festuns The following representation features have 1een established for use in all Nuplex 80+ information presentation techniques.

Process Symbols Process symbols help organize information and simplify search tasks. Process symbols are used, when appropriate, on component control switches, IPSO, VDUs, process controllers, and control panels.' A standard symbol library was developed prior to the design effort for use on all 1 I

information features. A symbology study was performed using time-response tests to help determine the most appropriate symbols for the library.

Process Representations Process representations are used, when approprir - on the control panels, IPSO and VDUs.

Process mimic formats use standard information f cement for similar processes, and equipment. Research was performed to develop conventions matching human population stereotypes. For example, fluid system piping representations are standardized top to bottom and left to right. Incoming and outgoing flow path connections are placed at the periphery, and crossovers are prohibited. Related information is grouped by task analysis specifications for comparison, sequence of use, function, and frequency. Process representations / layout are based on the operator's process visualization to maximize the efficiency of his data gathering tasks. In determining an operator's visualization of a system, consideration is given to diagrams used with

             '3' NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction Section 3.5.

4 poise ase(p asses,w. me=en esees,e seweisemy asse ts.7 7 !

1 System 80+ Design ControlDocument learning materials and plant design documentation associated with system descriptions, as well as actual physical interpretation.

Graphic Layout /Information Coding Graphic information is presented on display page formats to aid in rapid operator comprehension of processes. Graphic information includes the use of bar graphs, flow charts, trends, and other plots, (e.g., temperature vs. pressure).

1. Bar Graphs Bar Graphs are primarily used to represent flows, pressures and levels. Bar graphs are used on DPS VDUs, and discrete indicators for applications such as general monitoring where a specific value is not needed or for convenient data comparison (e.g., two flowrates can be easily compared using two adjacent bar graphs). Bar graphs are also helpful for comparison of numeric quantities.

2. Flowcharts Flowcharts are used when they aid in the operator's process visualization. Flowcharts may be helpful for understanding control system processes such as the Turbine Control System. Operators learning materials for process control systems are frequently in a flowchart format, and thus a similar format on a display page will be easy to comprehend.

Trends and Graphs Trends are used on display page formats when functional task analysis indicates that the operator should be informed about parameter changes over time. Additionally, the operator will be able to establish trends of any data base points which reside in the DPS data base.

Scale labels will be divisible by 1,2,5, or 10. Tick mark between scale labels are also divisible by 1,2,5, or 10. Trended information is typically presented on display pages with a scale of 30 minutes, however the operator shall be able to adjust the scale to suit his needs. Logarithmic axes are established using multiples of 10. 18.7.1.1.2 Coding Techniques and Display Conventions Color is used to provide clear, salient presentation of important display features. Consistent application of discriminable colc .wurts visual search, orientation, alerting, and comparison. Color is always applied as a redundant coding technique, to ensure reliable presentation of important information. As appropriate in the context of specific hardware, the color hues below apply to all control panel and instrument features:

Red Component On/ Activated, Valves Open. ,

I l l AMrowd Des &n Motoriels Human factors Erngeneemg page 18.7 8

    ,,                                                                                                          1 System' 80 +                                                                   Desian conen/ Doemnant       j
                                                                                                                 \

-O e C- l i Component Off/ Inactive, Valves Closed,

e Blue, -' Component Control " select" type control functions, e.g., auto, permissives. .; e Yellow , i

;              Alarm Activated Status.                                                                         l L

e . Cyan- i

,              Label Units and alarm setpoint values for dynamic process parameter on DPS VDUs.                j e-       , White .                                                                                        !

Dynamic process parameter values on VDUs, message area messages, dynamic bar graph and trend irformation. System's response to operator touch on VDUs, e.g., highlighting menu selection until appropriate system response occurs. ;

     *-        Orange An alening hue for non-ordinary, non-alarm information such as existing operator aids and manual control status.

j e Pmple ) 1 Labels for discrete indicators containing Reg. Guide 1.97 Category 1 and 2 and Type A, B, and

C parameters on discrete indicators or DPS VDU pages. Nuplex 80+ Hue Convention Representation Characteristics: e Black 4 Background hue for labels, o Grey Static text, component labels, dividing lines, menu options, piping, inoperable and non-

           - instrumented valves, graph axis and grids, and other applications not covered by other coding conventions.

e e Tan 4 Control panel surfaces. 4puoosef Destn AAsamW.Museen Feessrs seqpessortgr page 78.7-#

l System 80+ Design ControlDocument l I

Light Brown Control panel demarcations.

The acceptability of the eumber of hues and intensities used on displays is provided in the following Section 18.4 References (3,6). Final validation of the sum of the various HSI features (including the number of hues and different intensities of colors used for DPS VDUs) afforded by both the main control room and the remote shutdown area will confirm that the operating ensemble supports the successful accomplishment of the operator's functional role and specific tasks under dynamic, real-time conditions. The criteria to evaluate human performance for the usefulness of the ensemble are provided as part of the HFE V&V plan. Shape coding / conventions, or attribute coding / conventions, is used in the infonnation system as a primary means to the operator in identifying problems, equipment component status, component type, direction of process data, alarm priorities and operator aids, and target selection items. The primary means used by the operator in determination of component status is shape coding on the displays of selected components. Hollow symbols indicate active components and filled symbols indicate inactive components. Cross-hatching of either shape indicates that the component is inoperable. The following describes the application of shape coding to selected symbols in Nuplex 80+,

Pump / Fan A hollow pump indicates that the pump has been activated by the operator or automatic control signal. A solid pump indicates that the pump has been deactivated by the operator or automatic control signal. The same coding conventions apply to fans.
Valve A hollow valve indicates that the valve is fully open and a filled valve indicates that the valve is fully closed. A valve not fully open or closed has a mixed filled / hollow shape, i.e., left side filled /right side hollow. A cross hatched valve indicates inoperable from the CCS.

Information coding on valves is provided by these additional characteristics / representations:

1. Valve Full Open - Red Hue / Hollow.

2. Valve FuH Closed - Green Hue / Solid.

3. Valve Mid-Positionedffhrottled - Left side green / solid and right side red / hollow.

4. Valve Inoperable.

Cross-hatched texture (of either open or closed symbol shape and color, as appropriate to component position) portrays inoperable status (but not

loss of" operability, per se.)

O Alywoved Design hteter1\el Namen factors Ermineerksg Page 18.710

System 80+ ooston controlDocument C,/m 5. Non-Instrumented Valve The positions associated with these valves are entered manually into the DPS. Valve ; representations are grey, shape coding (hollow / filled) provides position. !

6. Three-Way Valves l l

These valves allow flow to pass in one of two possible paths, whereby the active flow paths are represented on mimics using red / hollow coding and the inactive path is . represented by green / solid coding. To indicate suspect data an asterisk code (*) is used preceding any su:;pect data. To indicate alarm priorities and operator aids the following codes are used:

Priority 1 Alarm - Reverse Video e Priority 2 Alann - Box
Priority 3 Alarm - Brackets
Operator Aid - Underline beneath descriptor t To identify alarm state (unacknowledged, acknowledged, or reset) the following codes are used:
High Intensity - Unacknowledged Alarm & Operator Aids
Medium Intensity - Acknowledged Alarms & Operator Aids
Low Intensity - Reset Alarms.

[ To ensure that the operator unambiguously reads multiple superimposed alarm tile states, on/off duty cycles are used as a functional enhancement, not a code. Unackncwledged alarms and operator aids have a fast 50/50 on/off duty cycle where cleared alarmt have a different uneven 25n5 flash duty cycle. i To identify touch targets the following code is used:

Button - Control Page Select To determine the direction of process values the following codes are used:
Up Arrow - increasing value
Down Arrow - decreasing value
Plus Symbol - value high "above control band" pi e Minus Symbol - value low *below control band" r

v ,

Dot - value normal

on+ ueww >sm.au reenws Engineenreg Pnge 18.711 L

System 80+ Design ControlDocument To identify if data is static or dynamic the following color intensity codes are used:

Pure white - Dynamic Data
Grey - Static Information Although Nuplex 80+ uses many techniques, the operators can effectively utilize them under conditions in which their unambiguous discrimination is required. The following is a discussion of how operations personnel effectively utilize these codes under various plant conditions.

Alarm and infonnation processing by operators is context dependent. The context specific use (e.g., reading data, processing alanns, determining equipment status, etc.) of the Nuplex 80+ codes reduces the number of codes that require discrimination in a given situation (e.g., normal operation, post trip, etc.) to a manageable set. The Nuplex S0+ alarm and information codes are provided in Table 18.7.1-1 (Nuplex 80+ Coding Matrix). The operator is not required to process the 15 shape, 8 hue,5 color intensity,2 flash rate, and 2 switch position codes simultaneously. For example, if an alarm occurs, the Nuplex 80+ infonnation system performs the following: 1) alerts operator by an audible tone,2) directs his or her search by flashing high intensity yellow tiles on functionally orgamzed alarm tiles or menu selections on DPS VDU pages, 3) directs his or her attention with context specific messages and directory information on the DPS VDU, and 4) confirms a cleared alarm by an audible tone and slow flash in low intensity yellow. When in the alarm context, the operator is processing alarm code information, not equipment status, data or other miscellaneous codes. Therefore, only the codes associated with alarms are applicable. Other examples of context dependent use of codes are: 1) the 5 direction shapes are used only to show trend parameter information, the 2 switch position codes are uniquely used to show equipment or position status on only process controllers and switches, and 3) the equipment / component status codes are used only with the equipment / component navigation aids on the DPS VDUs and process controllers. Many equipment status, data, aml miscellaneous codes are aids to the operator, adding beneficial redundancy to already unambiguous displays rather than adding an additional information processing burden, in addition, the Emergency Operations Guidelines are written to simplify operator aMions to tasks that require discrimination of only the most important information (e.g., on/off codes, dynunic data codes) and not require the operator to process alarms, or perform detailed diagnostic activities to which many of the codes are applicable. HFE has verified the adequacy of the present codes through suitability analysis. Validation of the collective application of the codes will be performed later in the design process to confirm that the operator can acceptably use the coding scheme as part of the HSI. Additional, empirical data showing that operators can effectively utilize the properties and parameters encoded, all colors, and the shape / symbol codes under normal, abnormal, and emergency operations and under all modes of plant operation is not required. The complete Nuplex 80+ Coding Matrix and notes correlating them to HSI devices is presented in Table 18.7.1-1. O AMwwed Design heetenal Human factors EngineerW page 1g.7 12

System 80+ Deshm ControlDoesanent 18.7.1.1.3 Labeling, Text, and Data ( Labels-include panel titles, display page titles, function identifiers, equipment identifiers, process identifiers, and parameter identifiers. The following conventions apply to all labels, text, and data in the Nuplex 80+ design.

 'e        Label Size Labeling sizes are standard for similar label types (e.g., Control Panel, Group, Subgroup, VDU page titles, Component Identifiers). Labeling size is based on viewing distances in supporting of information gathering tasks. Labels also help establish a hierarchy for information provided on the control panels and VDU displays. The labeling hierarchy used in the Nuplex 80+ design is specified in Section 18.7.2.3.3.

o Label Placement Labels of similar types are placed in consistent locations with respect to panels, demarcations, mimic diagram representations, and component controls. e Abbreviations A standard set of abbreviations has been established for use on all control panel and display Pages. e Uni'ts A standard set of units has been established for application to all data. 18.7.1.1.4 Alann Philosophy Alarm information is integrated into the Nuplex 80+ design. Early in the design process an informal

 - scoping analysis was completed to demonstrate the effectiveness of the alarm methodology in reducing alarms. Final validation of the sum of the various HSI features (including the quantity of alarms and displays) afforded by both the main control room and the remote shutdown area will confirm that the operating ensemble supports the successful accomplishment of the operator's functional role under dynamic, real-time conditions. The criteria to evaluate human performance for the usefulness of the alarms and displays are provided as part of the HFE verification and validation plan. Alarm information is presented on IPSO, DPS VDUs, and alarm tiles.

Nuplex 80+ alarms warn the control room operator of abnormal conditions that require his or her attention because they require significant operator action to maintain safe and reliable plant operation. Nuplex 80+ alarms are categorized as follows:

   -        Critical safety function violations,
   -        critical power production function violations,
   -        major damage to equipment, 4presed coegn assesrist. Nunsa reessrs Enghes*r                                                 page 78.7-73

System 80+ Design controlDocument - success path availability violations, - success path performance violations, and - personnel hazards. The categories determine alarm display locations. Nuplex 80+ alarms are assigned priorities based on the number of sequential warnings related to the "Significant Operator Action" condition. Alarms are prioritized to help operators order their responses to abnormal conditions. The priorities are:

Priority 1 The last warning (and, in some cases the only warning) prior to reaching a "Significant Operator Action" condition.
Priority 2 Next to last warning prior to reaching a "Significant Operator Action" condition.
Priority 3 Any number of warnings prior to the next to last warning before reaching a "Significant Lperator Action" condition. In some cases where no significant operator action condition can resn't, it is the only warning.

In addition to alarms, an information notification category " Operator Aids" has been established for information that may be helpful for operations but is not representative of deviations from normal conditions. Conditions classified as " Operator Aids" include; channel bypass conditions, approach to interlocks, and equipment status change permissives. Note that " Operator Aids" for the Nuplex 80+ control complex are not interchangeable with the term " Job Aids". The alarm priorities and " Operator Aid" are coded uniquely to allow the operator to quickly distinguish between alarm conditions. Section 18.7.1.5 provides a detailed description of alarm presentation methodology and operator interaction with alarm information. Table 18.7.1-1 provides the complete Nuplex 80+ coding matrix, including alarms and operator aids. 18.7.1.1.5 Infortnation Access To perform operations and respond to abnormal conditions the operator needs to easily access information such as data presented on discrete indicators, DPS process mimic representations and information listings. Tasks that are performed frequently or need to be quickly accomplished require mimmal operator actions to access supporting information. The primary method of information access in Nuplex 80+ is through touch sensitive targets. This makes use of the operators natural tendency to point to desired information. The following features that enhance information access are a part of the Nuplex 80+ designs.

Alarm Tiles The primary method by which alarms are acknowledged is by touching a flashing .larm tile.

Touching the tile acknowledges the alarm which results in an alarm message being displayed with AMroved Design Meterial thenwr factors Engheerkg Pope rg.714

System 80+ Design ControlDocument i i g ' y related targets. Touching an alarm tile that is either in alarm or not in alarm accesses option (s) on the DPS screen menu (the VDU on the same panel as the tile) to provide direct access to ; display pages associated with the alarm tile's descriptions. I i

Display Pages l Touch targets are used to access supportive or diagnostic information associated with a display page's process. Section 18.7.1.3.4 describes display /page information access in detail.

Subsequent sections of Section 18.7.1 provide more details on information access mechanisms within the specific components of the Nuplex 80+ design. 18.7.1.1.6 Data Content / Display Density Guidelines The Nuplex 80+ information system makes extensive use of VDU and other computer based information presentation devices (e.g., DIAS). This facilitated the need to establish guidelines to provide uncluttered, well organized and easily interpretable displays. The following indicate the major data content and display density guidelines that were followed. Only data associated with a display process or helpful for the understanding of that process is included. ; Data to be displayed is selected based on the output of the functional task analysis plant experience, federally mandated requirements and system engineering requirements. l When the operator scans the display for specific information, all other information on the screen is

%) considered Mckground clutter. There is a limit beyond which additional information loading on the screen dramatically deemses the ability of the operator to efficiently obtain the information he needs.

Experience has shown and HFE criteria indicate that the display loading (the percentage of potentially active screen area) should not exceed 25 percent. The inactive area constitutes " white space" that is essential for clarity in any display. The amount of potentially active data on a display does not exceed 50 percent of the total screen area, not including demarcation lines. However, organizing related data into many screens requires extensive screen switching, and should be avoided. 18.7.1.1.7 Size Criteria for Labels and Information Operator data collection for both monitoring and control requires that some data be readable from a distance, and other data be readable while at a given panel. The following sections provide information size criteria for information in the control room. The sizes of characters meet the guidelines of the HFESGB (Reference 2). Apparent character height at expected reading distances subtends at least 12 minutes of arc.

Data To Be Viewed From the Shift Supervisors Office i

The Integrated Process Status Overview (IPSO) information is provided with a letter height j sufficient to allow readability of information from the shift supervisor's office (Le 40 feet), in accordance with the HFESG. IPSO information provides the highest level information to the operating staff and therefore needs to be visible from any controlling workspace panel, as well as the shift supervisor's office. (*) i L i Anwomf Deekn atenede! Numan Factors Engheerkg Page 18.7-15

System 80+ Design ControlDocument e Data To Be Viewed Within the Controlling Workspace h The control panel identifying labels have a letter height sufficient to allow the operator to determine what panel information is associated with from any location in the controlling workspace. For example, if the operator observes a flashing indication on a panel, the operator will know with which panel the information should be associated. This allows the operator to obtain the exact information associated with the indication by accessing the data on the DPS at his present location. This may be particularly useful as an aid to alarm response.

Data To Be Viewed Across the MCC Since a design bases of the MCC is to allow one person to conduct normal operations at the MCC, certain data on the MCC is readable while the operator is at any other MCC panel. This data includes:

1. Group / Subgroup Labels These labels allow the operator to distinguish in which group / subgroup information is changing. If the operator observes an indication such as a valve repositioning (shown by both red / green status lights illuminated) the operator will be able to distinguish in which group / subgroup the valve is located.

2. Alarm Group Labels These labels allow the operator to distinguish what group or system is in alarm. For example, the RCS panel has alarm groups for RCPs, seal / bleed, and RCS.

3. Dedicated Parameter Discrete Indicator Labels (e.g. Pzr Pressure)

These labels allow the operator to identify what information is displayed on the associated discrete indicator. The data that falls into the above categories (1,2, and 3) on die MCC is of the same size on the ACSC panels to assure useability of information throughout the control room. Additionally, this ACSC information allows an operator to monitor the information associated with an ACSC panel section while seated at a desk in front of the AC or SC, see Figure 18.6.5-4. e Data To Be Viewed From an Adjacent Panel The DPS VDU associated with an adjacent panel may be used by the operator to support monituring activities associated with his present tasks. For example, the operator may desire a trends format or overview information on the adjacent VDU to aid him in monitoring tasks associated with a process or detailed page on the panel that he is using. e Data To Be viewed at a Panel While performing monitoring and control activitics at a panel, the operator observes some information while seated or standing in front of the panel, while other information is only used Approved Design Meterial Human Factors Engkeeerksg Page 182-16

I i

                  . System 80+                                                                           Deskn contmlooeumont
 ,                          when performmg an action or accessing a display format. Thus, this type of size criteria is divided into two categories as follows:

1. Information Gathering Tasks !

ll The operator needs to view the following information related to the workstation process while in front of the panel: j

                                       -        Panel Mimic Diagram Labels (e.g. identification of bypass, recirculation paths).

i

                                       -        Alarm Tile Descriptors.
-                                      -        Existence of alarms on IPSO and location with respect to a system or plant process.                                                                                     i
                                      -         Alarm group labels and divisions on panels.                                                  ;
                                      --        Priority coding on alarm tiles.

Spatial dedication of alarm tiles on panels. .

                                      -         Existence and priority of alarm within first level display page categories provided           i on DPS display page menu options.                                                            J

( This information is sized to be readable by 95th percentile males and 5th percentile females from both standing and seated positions at the MCC or only standing positions at the ACSC.

2. Information to Support Control Actions and Information This information is used by the operator when performing an action i.e., touching either a control feature or information access feature. To support these tasks the information

is sized to allow readability while performing the specific action.

18.7.1.1.8 Infonnation Input i The capability is provided to manually input to the Nuplex 80+ I&C systems component or parameter information unavailable from automated data acquisition means. This will include information such as Bypassed or Inoperable Status manual input and input related to tagged out components. This capability will be provided by DPS controlled access keyboards located outside the controlling workspace (e.g., CRS console, MCR offices) or other system operator interface devices (e.g., Operators Modules). 18.7.1.2 Integrated Process Status Overview (IPSO) The presentation of plant processes on display page formats has led to a generally expressed concern that the presentation of information on separate, relatively small formats which must be viewed independently might prevent the operator from gaining an overall " feel" for plant status. In a typical nuclear power

( - plant the understanding of the whole plant process performance is gained by parallel processing of an array of conventional instrumentation, i.e., by means of a sweeping glance around the control room. 1 Anwooed Denton noenernet hmen fecaers Enghearts Ange 18.7-17

l l System 80+ Design ControlDocument In the Nuplex 80 + control room a large panel overview display provides the infonnation that the operator requires for quickly assessing overall plant status. This panel, known as the Integrated Process Status Overview (IPSO), see Figure 18.7.1-2, is a continuous display visible from any panel in the controlling workspace, control room offices, and the Technical Support Center. The IPSO is centrally located relative to the MCC. The IPSO also exists as a DPS display page that is available on any control room DPS VDU. It is also available at remote facilities such as the Technical Support Center and Emergency Operations Facility. As a plant overview / top level display page, IPSO allows the operator or other plant personnel to interrogate the display format (see Section 18.7.1.3.4), to aid in access to additional display pages or problem diagnosis. The IPSO large panel fonnat is approximately 6 feet high by 8 feet wide. Its location, above and behind the MCC workstation, is approximately 40 feet from the shift supervisors office, (the furthest viewable point). Information contained on IPSO is sized to meet the following guidelines for readability from all points within the control room:

Characters-minimum 2.1 inches e Symbols-minimum 2.8 inches 18.7.1.2.1 IPSO Representational Characteristics and Features The IPSO provides the operator with information that allows him to determine overall operational and safety status. The IPSO presents high level process overview information by which an operator can:
Determine overall operating status via critical function alarm status and success path availability and perfonnance status.

e Organize operational concerns via a small number of symbolic representations that are a result of highly processed data. e Establish priorities for operator actions via prioritized alarm status for critical functions and success path availability and performance. ; 1

Assess critical function status via alarms, symbols, and digital parameters. )

i Information provided on the IPSO display includes: l I

Major system and component status shown on an overview schematic representative of the main heat transport systems.

e Existence of system and function level status, success path availability, success path performance and key critical function parameter alarms (see Section 18.7.1.5) to aid the operator in quickly identifying the location of important alann information. e Deviations from critical power production and safety function setpoints and idecification of improving or degrading trends to improve the operator's awareness of plant conditions.

Critical Function Parameters (e.g., RCS Temperature, Pressurizer Pressure and Level, Reactor Power, Plant Power Output) to improve the operator's and supervisor's awareness of plant conditions.

Approved Design Material . Human factors Engmeering Page 18.718

1 l System 80+ Deslan ConbelDocanent s The IPSO uses the same HF criteria for display design that are used on the DPS process display pages. IPSO uses the dynamic symbols, color code, highlighting, blinking, graphic layout and information coding features described in Section 15t.7.1.1. DSER Open Item 18.8.2 2 a. (Section 18.4, Reference

11) provides additional information on the usefulness of a large overview display (IPSO).

18.7.1.2.2 Plant Functional Infonnation on IPSO A primary operational benefit of IPSO is the use of IPSO information to support operator response to plant disturbances, particularly when a disturbance effects a number of plant functions. IPSO information ! supports both the operator's ability to respond to challenges in plant power production and plant safety. To that end, IPSO allows the operator to assess the overall plant's process performance by providing information to allow a quick assessment of the plant's critical safety or power production functions. The : concept of monitoring plant power and safety functions requires a categorization of the power and safety- ) related plant processes into a manageable set of information that is representative of the various plant l processes. ; The critical functions pertaining to the System 80+ plant are: Cdtical To: ) Function Power Safety

1. Reactivity Control X X

2. Core Heat Removal X X

3. RCS Heat Removal X X

4. RCS Inventory Control X X

5. RCS Pressure Control X X

6. Steam / Feed Conversion X

7. Electric Generation X

8. Heat Rejection X

9. Containment Environmental X Control

10. Containment Isolation

11. Radiological Emissions X X Control

12. Vital Auxiliaries X X A 3x4 alarm matrix block containing a box for each critical function exists in the upper right hand corner of IPSO. The matrix provides a single location for the continuous display of the presence of alarms that jeopardize the specific critical function.' Above the box is the identification of the emergency procedure currently selected by the operator.

The 3x4 matrix representation is an overview summary of the 1st level critical function display page

 )  information. The operator obtains the details associated with Critical Function in the Critical Function section of the display page hierarchy (see Section 18.7.1.3).

L =:oneen nenauw. mmen recewe snomeas s rose rs.r rs

System 80+ Design ControlDocument 18.7.1.2.3 Systems Represented on IPSO The systems represented on IPSO are the major heat transport path systems and systems that are required to support the major heat transport process. These systems include those that require availability monitoring per Regulatory Guide 1.47, and all major success paths that support the Plant Critical Functions. The following systems have dynamic operating status representations on IPSO. The identifiers for the systems used on IPSO in Figure 18.7.1-2 are provided below. CC - Component Cooling Water CD - Condensate CI - Containment Isolation CS - Containment Spray CW - Circulating Water EF - Emergency Feedwater FW - Feedwater IA - Instrument Air SC - Shutdown Cooling RC - Reactor Coolant SI - Safety Injection SW - Service Water TB - Turbine Bypass CH - Charging LD - Letdown DO - Diesel Generator SD - Safety Depressurization System information presented on IPSO includes system operational status, change in operational status (i.e. active to inactive, or inactive to active) and the existence of alarms associated with the system. Alarm infonnation on systems also helps inform an operator about success path related Critical Function alarms. 18.7.1.7.4 Alarms Presented on IPSO IPSO displays the following types of alarms:

The presence of alarms that jeopardize critical functions are displayed in the IPSO alarm matrix boxes. Each box identifies the presence of alarms that jeopardize the specific critical function.

The display format for the box indicates the highest priority of all related alarm conditions;

Success path availability alarms using system symbols and descriptors;
Success path performance alarms using system symbols and descriptors;
Key critical function process parameter alarms using IPSO process representations.

O Attwowd Design Atatenet . Human Factors E&M Page rg,7 20

i System 80+ Deskn ControlDoewnent 8.7.1.3 DPS Display Pages The Nuplex 80+ DPS VDU display pages contain all the System 80+ plant information that is available to the operator, in a structured hierarchy. The display pages are useful for information presentation , because they allow graphical layouts of the plant and processes in formats that are consistent with the - operator's visualization of the plant. In addition, graphical formats are designed to aid operational , activities of the plant by providing trends, categorized listings, messages, operational prompts, as well 3 as alert the operator to abnormal processes. The primary method that the operator navigates on 'te Nuplex 80+ DPS is through touch screen , 4 interface. Keyboards are not used for information actus on the MCC, AC, or SC panels. Manual entry of information into the DPS is provided via controlle . access keyboards outside the controlling workspace (e.g. CRS Console, MCR offices). Messages ans supporting display page option touch targets can be accessed on VDUs by touching other control parel features, (see Section 18.7.1.4 and 18.7.1.5). The Nuplex 80+ Data Processing System (DPS) is described in Section 7.7.1.7. The IPSO display page forms the apex of the Nuplex 80+ DPS display page hierarchy. Three levels exist below IPSO, where - each level of the hierarchy provides an information content designed to satisfy particular operational needs (see Figure 18.7.1-3). The structure of the hierarchy is based on supporting the operator in the ' performance of his tasks as well as providing quick and easy access to all information displayed via the DPS VDUs. The display formats on the top level provide information for general monitoring activities, ' while the lowest level displays contain information that is most useful for supporting diagnostic activities. Each level of the hierarchy is described in detail in the following subsection. 18.7.1.3.1 IAvel 1 Displays Level 1 display pages provide information that is most useful for general monitoring activities associated with major plant processes. These display pages inform the operator of major system performance and major equipment status. The Nuplex 80+ level 1 display pages are as follows: o Critical Functions e Primary Systems i e Secondary Systems e Power Conversion e Electrical Systems e - Auxiliary Systems i ' An example of a level 1 display page is provided by Figure 18.7.3-1. 18.7.1.3.2 level 2 Displays

Level 2 display pages provide information that is useful for controlling plant components and systems.

These pages contain information necessary to control a system's processes and functions. Parameters which must be observed during controlling tasks appear on the same display, even though they may be parts of other systems. Proposed operating procedures, system and component operating manuals, and L = one6n annauw.mmen runws see meeme race 1s.1-21

System 80+ Design controlDocument the Functional / Task Analysis have been used for determining which parameters to display. The operator would normally monitor the " Primary System's" display page to assess RCS performance. If an adjustment to an RCP is necessary, the operator would access the RCP control display page. All information for that adjustment is on the control display to preclude unnecessary jumping between display pages. An example of a level 2 display page is provided by Figure 18.7.3-2. 18.7.1.3.3 Level 3 Displays Level 3 display pages provide information that is most useful for diagnostic activities of the component and processes represented in level 2 display pages. Level 3 display pages provide dats useful for instrument cross-channel comparisons, detailed information for diagnosing equipment or system malfunctions, and trending information useful for determining direction of system performance changes, degradation or improvement. An example of a level 3 display page is provided by Figure 18.7.3-3. 18.7.1.3.4 Display Page/Infonnation Access The operator's ability to acceptably access information and diagnose operational concerns with a VDU-based information system is dependent on his ability to access the appropriate display pages. Display page access in Nuplex 80 + is fast, simple, consistent among the various display stations, and easy to use. Nuplex 80+ display page access is accomplished primarily through the use of menus located at the bottom of the display pages. A Nuplex 80+ display page menu is shown on Figure 18.7.1-4. Each display page in the Nuplex 80 + design contains a standard menu format that provides: direct (i.e., single touch) access to the last page viewed and the display page directories (Critical Functions, Primary, Secondary, Power Conversion, Electrical Systems, Auxiliary Systems, and Other Systems / Features for all display pages (see Figure 18.7.1-4).

Display Page Access Using the Display Page Directory There is one display directory for each hierarchy under a 1st level display page (i.e. C 4tical Functions, Primary, Secondary, Power Conversion, Electrical, and Auxiliary Monitsring).

Additionally there is a directory labeled "Other" which contains display pages or informr'. ion that does not fall into the categories of the previously mentioned directories. The Other :ategory includes the following types of display pages; Radiation Monitoring / Control, Data Base Information, Maintenance Information, and Ifistorical Data Retrieval Information. Additionally each directory provides access to the Prioritized Alarm List, and Time Sequential Alarm List; see Section 18,7.1.5.3. Directory Format There are a total of seven (7) directories which exist: Critical Functions Monitoring, Primary, Secondary, Power Conversion, Electrical, Auxiliary, and "Other" The Primary, Secondary, Power Conversion, Electrical and Auxiliary Directories are laid out in a format where the display page options are grouped with the control panel they are associated with. For example on Figure 18.7.1.-5 there are four groupings of display pages for pages associated with the following four control panels; Engineered Safety Features (ESF), Reactor Coolant System, CVCS, and Plant Monitoring & Control. The first row of page options for a g panel grouping provide access to 2nd level pages, where the page options below these provide W access to 3rd level pages. Apprend Design Materiel. Human Factort Engmeermg Page 18.7 22

4

Syseem 80+ - o . ,4 ,,, c . ,, , ,f o ,, , ,,,,,

                      'Ihe'." Critical Function Monitoring Directory" ann "Other Directory" are presented using a different directory format. The directory formats are different because these directories are not structured based on plant system, thereby not relating to panel groups. The Critical Function                        !

Directory is described in Section 18.7.1.8.2. The "Other Directory" pages are grouped by the

.                     display page categories described earlier.

e Accessing Information Using Point Poke - Process parameter labels (alpha-numeric designators) and labels for component symbols of a

mimic diagram provide, upon regt.est, access to more detailed information. To obtain more information about a process parameter or comyvwa, the operator touches the associated j

descriptor. Upon touching the descriptor it is highlighted in white to confirm the operator's

                    . selection. When the operator lifts his finger from the screen, operational information associated                    l 1

with that parameter is placed on the message line and the menu as follows:

1. Message Area a

I The message area contains the parameter's descriptor, data base point I.D., and current ) value. l

2. Dynamic Display Page Options L Display-page options, that contain the most likely options to provide more information

! about the parameter such as process control and diagnostic display pages, appear as shown in Figure 18.7.1-6. A maximum of three display pages will be provided. $ Descriptors are also used for alarm acknowledgement on the DPS VDUs. ! Many display page symbols on IPSO provide a representation of system status. Touching the symbol's descriptor, on the VDU version of IPSO, provides menu options that allow access to display pages associated with the system and an appropriate message in the mange area. 18.7.1.3.5 Historical Data Storage and Retrieval (HDSR) All alarm information will be collected and stored by this system. Alarm activity i.e. time in, priority, < time acknowledged, time cleared and time reset, will be stored along with the description of the alarm and any pertinent information that may be required by the operator or the technical support center. It will also store a record of trends for particular data points within the plant. 18.7.1.4 Discrete Indie=*ian Displays Discrete indications are provided on the Nuplex 80+ control room workstations to provide the operator with the following information: e- Continuous Display (DIAS-P)

1. Validated list display of all Reg. Guide 1.97 Category 1 variables.

2. Access to the individual channels for all Reg. Guide 1.97 Category 1 variables.

Approvesf Desen AssewW Menen fecews Enphserhy Pepe 78.7-23

1 l System 80+ Design ControlDocument

Dedicated Parameter Display (DIAS-N) j 1

1. Key parameters used to assess critical function status for power production and safety (overlaps with Reg. Guide 1.97).

2. Key parameters indicative of success path performance for both safety and power production.

3. Access to individual sensor channels used in process representation values to allow continued operation without the DPS available.

Multiple Parameter Display (DIAS-N)

1. Information allowing continued operation without the DPS available:

                -        Information for Technical Specification monitoring with surveillance times less than 24 hours.
                .-       Information required to assess major equipment damage or personnel hazard alarms.
                -        Reg. Guide 1.97 Category 1 and 2 parameters (Types A-C) (not already on single parameter displays).

The Discrete Indicators provide safety related parameters in an acceptable format. Process parameters, identified n Regulatory Guide 1.97 Category 1, are continuously displayed. Trending is accomplished using dedicated parameter displays. The Discrete Indicators also provide indication and alarms on parameters needed for operation when the Data Processing System (DPS) is unavailable. These include Regulatory Guide 1.97 Category 1 and 2 parameters (Types A-C) (not already on single parameter displays), parameters associated with major equipment damage or personnel protection, and other surveillance related parameters (multiple parameter displays). Though the DPS is a highly reliable, redundant computer system, its unavailability is considered for a period of up to twenty-four hours. Selected less frequently viewed parameters are available on multiple parameter discrete indicators, with a menu available by operator selection. Each discrete indicator has the capability to present a number of parameters associated with a component, system, or process. The discrete indicators present various display formats that are based on fulfilling certain operator information requirements. Described below are three general categories of operator infonnation requirements that discrete indicators provide.

Process Representative Parameters While monitoring or controlling a process such as pressurizer pressure, the task analysis specifies requirements for use of one representative value in the most accurate range. For this type of information the discrete indicator presents a bold digital value and an analog bar graph of the validated average of the sensors in the most accurate range. This validated data is checked against Post-Accident Monitoring Indication (PAMI) sensors when applicable. When in agreement with the PAMI, the indicator may be used for post-accident monitoring. This has the advantage of continuing to allow the operator to utilize the indicator he is most familiar with and uses on a day-to-day basis. The operator, upon demand, can display any individual channel on the Alvvand Design Materiel. Human factors Engineerkg page 18,7 24

l Svstem 80+ Design ControlDocument

             ~ discrete indicator. The use of validated parameters is a benefit to operators by reducing their            l stinmlus overload and task loading resulting from presentation of multiple sensor channels                 !

representmg a smgle parameter. j When the validation algorithm cannot validate, the discrete indicator displays the sensor reading 3 that is closest to the last validated value. A validation alarm is generated for this condition. The discrete indicator continues to display this sensor's value until either an algorithmic validated ! value is arrived at or the operator selects another value for indication. The field on the discrete indicator that usually reads " valid" changes to " fault sel". This indicates that the value is not a validated and has been selected by the computer, in addition, the individual tag number for the ; selected channel is presented in reverse image and flashing. This indicates that the operator , i should review the available sensors that can be used for the parameter reading. If the operator makes a sensor selection, the field with " fault sel" and tag number reads "op sel" and tag number in reverse image with no flash. When the validation algorithm can validate the data, "op sel" is automatically replaced with the validated information. An example of a typical discrete indicator } } for process representation parameters is provided in Figure 18.7.1-7. 9 l DPS Displays: On any display page that displays a validated parameter on the DPS VDU, a fault selected value .l~ is indicated by an asterisk placed before the value, e.g.,

2250 psia .

g The asterisk remams on the VDU after the operator reviews available sensors and makes a l ' selection on the discrete indicator. This informs the operator that this parameter value is not validated. K Similarly if a parameter displayed on the VDU is not PAMI validated, it is preceded by an uterisk. The asterisk again indicates to the operator that something is questionable about the . particular value. This prompts him to review the value on the level 3 pages or on a discrete indicator before he uses it in calculations or diagnosis. o Trends ~ Trends are particularly useful for observing deviations in processes and the diagnosis of those problems. Discrete indicators have a trend format in addition to the digital and analog values when task analysis indicates that trend information is required for: i

1. Routine monitoring or control, or l

2. abnormal event diagnosis. i i'

- - Figure 18.7.17 shows a typical trend format on a discrete indicator. e Groups of System / Process Related Parameters - Parameters that allow continued operation without the DPS available include information to monitor Technical Specifications, information j _ required to assess major equipment damage or personnel hazard alarms, and information to (

              -- monitor Reg.
        =_ w oneon neeen w nwnen runus snesmeer                                                          roer ss.7-2s
                 .                       ..~     -                                     - -.       .-      . - - -

System 80+ Design ControlDocument Guide 1.97 Category 1 and 2 parameters (Types A-C) (not already on single parameter displays). An example of a typical discrete indicator for a process multi-parameter display is provided in Figure 18.7.1-21. Information Access Each discrete indicator contains a menu (s) option that, when requested, replaces the normally displayed digital value and analog bar graph with a menu of parameters that can be monitored on the discrete indicator. The menu is activated by touch. 18.7.1.5 Alarm Characteristics The Nuplex 80+ annunciator system incorporates the following features: o Alarms are presented on grouped alarm tiles or DPS VDU representations with dynamic messages used to inform operators of specific conditions in alarm. o Alarms are based on applicability for plant operating mode. Alarm logic and setpoints are specific for each of the following alarm modes:

1. Normal operation.

2. IIcatup/cooldown.

3. Cold shutdown / refueling.

4. Post-trip.

Mode change is automatic with respect to the DPS. When the DPS detects that a mode change is appropriate, the system will initiate the change and prompt the operator to do the same to DIAS which is manually changed. The change to post-trip mode is automatic for both systems. Mode dependent alarms significantly reduce nuisance alarm generation. o Alarms are acknowledged either individually or within small groups that can be viewed by the operator; global acknowledgement is not used since this tends to mask important alarms. The Nuplex 80+ alarm system aims at trying to make the operator aware of all conditions that are unacknowledged. The alarm system has provisions such as momentary audible tones, reminder tones and flash suppression that make unacknowledged alarms less distracting. Acknowledgement of alarms is done using:

1. Individual annunciator tiles.

2. DPS VDU interface features.

o Alarm logic and setpoints are based on equipment status; e.g., low discharge pressure is only applicable when a pump is supposed to be running. This approach helps to significantly reduce the number of nuisance alarms. e Alarms are partitioned by location with respect to control room panels and operator functions to O help provide the operator with discrimination among systems containing process deviations. Approved Design Meteriel Human factors Engheereg Page 18.7 26

- l System 80+ Denlan cenaror coeumont To %*1y respond to an alarm condition (s) there needs to be an efficient means of identifying the exact nature of the alarm and accessing the most useful information for diagnosing the alarm condition. l Alarm information in Nuplex 80+ is presented through the use of the IPSO, discrete annunciators, alarm i information display pages, and alarm information on process display pages. Each of these sources of ,

alarm information provides an important role in responding to and diagnosing unanticipated conditions. l In the Nuplex 80+ design, alarms are grouped into three priorities, so the operator can determine what j the relative importance of each alarm is, as follows: ; Priority 1 Priority 2 i Priority 3 Section 18.7.1.1.4 describes the alarm conditions within each of these priorities. ,

In addition to these alarm priorities, there exists a separate category called " Operator Aids". Operator >

aids provide operational guidance information that is not representative of an undesirable process or l component condition. These are discussed further in Section 18.7.1.5.6. j Priority 1, 2, and 3 alarms are processed and displayed independently through both the Discrete l Indication and Alarm System (DIAS) and the Data Processing System (DPS). Priority 3 alarms that do not degrade to priority 2 and I conditions, and operator aids are processed and displayed only by the ; i _ DPS. The IPSO panel described in Section 18.7.1.2 is driven by the DIAS and DPS and only provides indication of critical function and success path related alarms. Critical function alarms are displayed on ,C IPSO critical function parameter descriptors and the IPSO critical function alarm matrix. System alarms

' \                  related to success path availability and performance are displayed on IPSO system descriptors.

DIAS annunciator tiles in the Nuplex 80+ design may be driven by a number of individual alarm ; conditions. For example: a tile descriptor stating RCPI A pump / motor trouble provides for 11 different i' RCPI A alarm conditions. In general alarm groupings within an alarm tile are based on alarm response strategies to support operational understanding of what components and systems are affected by disturbances. Message. windows and DPS VDUs provide access to the specific alarm conditions. ,

                   - Reducing the number of annunciator tiles helps reduce the amount of data displayed to the operator, and                           :

thus the size of control panels. This permits the operator to monitor and control a given amount of equipment with less movement between locations. Fewer annunciator tiles allow the operator to distinguish important alarms during transients. I The operator's ability to control plant processes is dependent upon notification of process performance changes and his ability to efficiently access supporting information for decision making. In the Nuplex 80+ control room much of the plant process information is contained on DPS VDU pages. Emphasis has been placed on the operator's ability to locate the VDU page(s) that most effectively support his alarm handling needs. The Nuplex 80+ design accomplishes this by: o mininuzation of operator /VDU interactions required to access a display page(s) by providing direct access to supporting information via touch targets. e minimization of memory requirements on the operator by providing alarm priority coding on menu sectors in alarm, alarm priority coding on display page directory selections in new and cleared unacknowledged alarm states, supporting diagnostic information related to the condition Anwoud one4pr nenauieh Nonen feeenes Engbenerhw Page 18.7 27

l System 80+ Design ControlDocument in alarm via the alarm message (e.g. present process value, setpoint, etc.), and identifying display pages containing information related to the alarm condition. These features direct the operators attention to display pages containing supporting information related to unacknowledged alarms.

flexibility to provide different information to support different needs and different user preferences via presentation of alarms in many formats including the following: 1) on associated display page descriptions of process parameters or components, 2) on DPS alarm lists including prioritized, hierarchical, and time sequentiallists,3) on annunciator tile representation for single unacknowledged alarms, and 4) on the DPS unacknowledged alarm list.

18.7.1.5.1 Alarm Status and Representation

 *      ' Alann status in the Nuplex 80+ alarm system is provided by DIAS and DPS alarm indications using the following four states which are grouped into UNACKNOWLEDGED and ACKNOWLEDGED alarms:

Unacknowledged Alanns

1. New Alarm (alarm setpoint exceeded, condition not acknowledged)

If there is a new alarm associated with an alarm tile, the DIAS alarm tile and/or DPS display representation will flash at a fast rate (using a 50/50 duty cycle) with an accompanying audible tone. This condition takes precedence over all other alarm tile states for group alarm displays. This condition requires acknowledgement by the operator.

2. Cleared Alarm (process value returned to within alarm setpoint, condition not acknowledged)

When an alarm condition clears, the corresponding alarm tile and/or DPS display representation flashes at a slow rate (using an uneven 25/75 duty cycle), again accompanied by an audible tone, until this condition has been acknowledged. This condition takes precedence over the remaining two states for grouped alarms. Acknowledged Alarms

1. Existing Alarm (alarm setpoint exceeded, condition is acknowledged)

If an alarm condition exists and alarm states 1 and 2 above do not exist, then the alarm tile or DPS display representation is lit.

2. No Alarm / Reset (alarm setpoint not exceeded /value returns to within alarm setpoint condition acknowledged)

If state 2 is acknowledged or if there is no alarm condition associated with an annunciator tile, then the alarm tile or DPS display representation is not lit. O Appromi Design Material- Hurrsan factors Engeneering Page 18.7-28

i 1 ! System 80+ Deelen ControlDocumerrt 4 y- e Alarm Representations Visual alarm information in NUPLEX 80+ is identified by a unique hue, yellow. Different hues were not used to differentiate priorities because this limited the number of hues available for other 1~ purposes and using one hue (yellow) for alarms reduced search time for the existence of alarms (more important information than alarm priority). Position coding was not feasible. NUREG 0700 provides recommendation that shape is an =~ptable coding marhanism and was thus chosen. Three levels of intensity have been assigned to differentiate the state of the alarms. New ) alarms fast flash with a high intensity yellow, existing alarms are solid (i.e. not flashing) with l a medium intensity yellow, cleared alarms slow flash with a low intensity yellow. 'Ihis approach l allows all alarm conditions to be quickly and uniquely recognized by the hue yellow and allows ; the alarm state to be determined uniquely by the intensity of yellow. 1 Shape coding is used to identify alarm priority; i.e.1,2, or 3. The shape coding used for identifying alarm priorities uses representational features of decreasing levels of salience. Shape l coding of alarm priorities also allows retention of priority information for Return to Normal conditions. Two borders have been defined around a descriptor or alarm tile as an enhancament, 1 3 (not a code) that increases brightness and saliency of the coding between the different intensities ; of yellow used to distinguish unacknowledged new alarms (most important) from unacknowledged cleared and acknowledged existing alarm intensities. These borders, typically three pixels thick, define a spatial difference 5etween the new and existing alarms. New alarms will flash the existing area and the additional three pixel area giving the effect of the alarm jumping out at the ,

                            ' operator. This anhancament increases brightness and salience of the coding between the different             l
                             -intensities of yellow used to distinguish unacknowledged new alarms (most important) from                    i unacknowledged cleared and acknowledged existing alarm hues. Cleared alarms will be shown                   )

using the same area as existing alarms but with a different uneven flash duty cycle (see Figure 18.7.1.8). The following provides the format for alarm representations in Nuplex 80+. ! 1. Priority I alarms Alarm tiles, mimic diagram component descriptors, symbols, process parameter L descriptors, and directory / display page option fields have their descriptor presented in reverse video image using the alarm hue coding. On the VDU the descriptor is presented l grey for static data and in blue for dynamic data to provide good contrast for readability. In addition, the alarm tile and alarm list status fields on the VDU use the same l representation. j 2. Priority 2 alarms Alarm tiles, mimic diagram parameter descriptors, component descriptors, and i menu / display page options have a thin box using the alarm hue code around their i descriptor.

3. Priority 3 alarms
Alarm tiles, mimic diagram parameter descriptors, component descriptors, and menu / display page options have brackets around their descriptors.

1. }' h@lNO99Gf 099&R a00089$8f

NHMON ftC9998 NNpdF8009 hag (2/96) P89018.7-29

System 80+ Design ControlDocument 18.7.1.5.2 Accessing / Acknowledging AlamiInformation Using the Alarm Tiles Alarm tiles for each panel are implemented on a flat panel video display unit. Each alarm tile representation can present either priority 1,2, or 3 conditions. Each tile can notify the operator of one or more possible alarm conditions relating to a system, component, or major process problem. To quickly determine the actual alarm condition, a message area is provided at the bottom of each alarm display device. By touching an unacknowledged alarming annunciator tile the tile is acknowledged while simultaneously an English description of the specific alarm condition is provided in the message area (see Figure 18.7.1-10). At the same time that a message appears on the DIAS message area, an alarm message line is also presented on the bottom of the display page on the panel's DPS VDU. If only one alarm condition caused the activation of the tile, a description of the alarm is displayed on the VDU. The DPS alarm message contains the following information: Time-in, Priority, Severity (e.g., Hi, Hi-Hi), descriptor, setpoint, real time process value and data base point I.D. In addition, a representation of the alarm tile is provided to the right of the message area (see Figure 18.7.1-6), and menu options / fields on the display page menu provide direct access to the display pages that can be used to obtain supporting or diagnostic information on the alarm condition. If an alarm tile contains more than one unacknowledged alarm condition, touching the alarm tile representation on DIAS provides a listing of the new alarm conditions associated with that tile in list display format, see Figure 18.7.1-11. This display provides the priorities and messages of the new alarms An alarm status tile is provided with this display to allow the operator to be aware of any outstanding alarm conditions on the alarm tile matrix format. The operator is made aware that additional alarms exist which he can subsequently access. At the same time a tile containing more than one unacknowledged alami is acknowledged on DIAS the operator would see a message in the DPS message window indicating that the alarms behind that tile had been acknowledged, e.g. "RCP 1A TROUBLE { Priority Box} Multiple Alarms Acknowledged". Additionally, the display page menu option is provided to the right of the message area. The alarm tiles that are in alarm can be accessed and acknowledged on any DPS VDU in a mechanism I similar to accessing and acknowledging the alarms via the alarm tiles. A graphic representation of any l alarm tile in alarm or cleared / return to normal condition status can be requested on any DPS VDU. The operator can quickly select unacknowledged alarm tiles on the DPS and obtain the same information as ; described above within the DPS message and menu areas. This means of responding to alarm conditions eliminates the need to traverse the control room to acknowledge alarms while maintaining a consistent method of acknowledgement. This is fully described in the next section. 1 I Priodty 3 Alarms and Operator Aids Alarm information for priority 3 alarms that do not degrade to priority 2 or 1 conditions and operator aids are only available from the DPS and only appear on alarm formats. The DPS display page's menu in the Nuplex 80+ design provides the operator with an overview of the existence of unacknowledged alarms and cleared / return-to-normal conditions. ; O Approved Design Meterial . Human Factors Engineering Page 18.7-30 l l

a System 80+ Deniser ControlDocument l l

       '18.7.1.5.3           Alanns Presented on DPS
                                                                                                                                  'i Alarm information is presented on the DPS VDUs by 1) alarm coding the descriptors of the representative features on the process mimics,2) alarm tile representations and 3) alarm lists. The multiple methods                      l of DPS alarm presentation allow the operators to utilize alarm information in the most meaningful manner for a given function or task.

I DPS alarm information allows the operator to efficiently access, acknowledge, and diagnose any . alarm ! from any Nuplex 80+ control panel. This permits the operator to remam at a panel when an alarm comes in on another panel. Alarm priority and status coding,'as described in Section 18.7.1.5.1, is , applied when alarms are present on component labels, symbol labels, process parameter labels, directory options, and menu options. . 18.7.1.5.4 Alarm Access via DPS Menu and Directory Pages ! ea The menus located at the bottom of each DPS screen (see Figure 18.7.1-5) in the Nuplex 80+ design ; l _ provides the operator with an overview of the existence of any unacknowledged alarm conditions and a general overview of where they exist by plant sector. If an alarm exists in a plant sector, the i corresponding menu option flashes. This is the sector of the hierarchy where the display page can be i found that would best allow the alarm to be acknowledged. The menu option will reflect the priority associated with the alarm. The operator will be guided to the i appropriate display page in this way. When the operator chooses, by touch, the menu option that is flashing, the associated sector directory is shown and the display page that is associated with the alarm, will be fleshing. The operator can then access this page by touch and acknowledge the alarm in the most appropriate context. In the case of more than one alarm on the same page, the display page option for that page will reflect the highest priority of unacknowledged alarm. The same coding applies to the directory menu options, in that they depict the highest priority unacknowledged alann condition of the alarms on display pages that may be accessed within that branch of the hierarchy. 18.7.1.5.3 Alarm Acknowledgesnesit The Nuplex 80+ DPS allows significant flexibility in alarm acknowledgement to accommodate varying numbers of alarms (single and multiple) and various methods by which the operator can acknowledge them. The following means of alarm acknowledgement are provided through the Nuplex 80+ DPS VDUs: Single Alarms

1. Alarm acknowledgement via the annunciator tile representations - ]

When a single unacknowledged alarm condition exists, an alarm tile representation is displayed on the lower right corner of the VDU screen (see Figure 18.7.1-6). The tile representation corresponds to the DIAS alarm tile for priority 1,2 and 3 alarms and appears independent of the current display page being presented. Alarms may be acknowledged by touching the alarm tile representation. This action changes the alarm tile representation from a flashing high intensity

                 - yellow condition to a medium intensity yellow condition and silences the periodic momentary audible sound associated with the alarm condition. Specific alarm condition messages are viewed                  l I

on the VDU message window. This message contains: tile name, priority, message, setpoint, Amoreveer Doetn asses, der- Mwnen reemrs Enphoenny pape ;s.7-3r 1 l l 1

                                                                                           -                                         l

i l System 80+ Design ControlDocument real-time process value, time-in and database point I.D. Also display options will appear to l provide access to display pages with more taformation about the descriptor that was touched (see l Figure 18.7.1-6). The alarm tile will remain in the medium intensity yellow state until another l new alarm comes in or the operator presses the "CLR" button.

2. Alarm acknowledgement using display page descriptors -

1 Alarm priority and status is displayed, when alarms are present, on component labels and process j parameter labels. Touching unacknowledged alarm coded descriptors on process display pages acknowledges the alarm and accesses the following information, displayed in the message area: DIAS tile name, priority, message, setpoint, real-time process value, time-in and database point I.D. Also, as described previously, display page options would appear to give the operator access to more information with respect to the descriptor that had been touched.

3. Alarm acknowledgement using UNACK. ALARMS list If more than one alarm comes in, such as in post trip conditions, the operator needs a fast effective method to review arxl acknowledge multiple alarms. This is allowed by providing an UNACK. ALARMS target, for multiple alarms, in the same place as the alarm tile representation for single alarms. When selected, a snapshot of the current new and cleared alanns is displayed on a list format. No individual alarm tile representation is provided when multiple alarms exist.

This snapshot will only represent the alarms that existed at the time the target was selected and none that occur after. Alarms are listed and organized according to functional group (directory), panel (the panel on which the display page that the alarm is on would be shown on a directory page), and the display page the alarm would be on. Alarms on a display page are shown by alarm tile and specific condition. The unacknowledged alarm and message format is shown in Figure 18.7.1-9. When the Unacknowledged alarms are presented they may be acknowledged in two ways; by display page or by page of alarms.

4. Alarm acknowledgement using display page descriptors It is also possible to acknowledge alarms on a case by case basis using the descriptors of process parameters or components. If there were more than one alarm on a descriptor, the highest priority would flash unacknowledged alarm over the highest priority acknowledged alarm, see previous discussion of how this would occur. For example, a new priority I alarm would flash over an existing priority two or three. If new alarms were to come in on a descriptor that had no existing alarms, the alarm with the highest priority would be shown. When a descriptor showing multiple alarms is touched, to acknowledge one of the alarms, only the highest priority is acknowledged and the corresponding message is displayed in the message area. Then the criteria would be reapplied and the highest of the remaining alarms would be shown. In this way the alarms can be acknowledged one by one.

O Approved Design Motorse! Human factors Enghseenh9 Page 18.7-32

. System 80+ Deslas Conem!Documerrt ,

P

18.7.1.5.6 Special Alann Features in Nuplex 80+ l!

The following are special features included in the design of the Nuplex 80+ alarm system. e Mode and Equipment Status Dependency j A key feature of the Nuplex 80+ alarm system is the use of mode depervient and equipment status dependent logic. These features reduce the number of alarms received during significant events and limit those alarms to conditions that actually represent process or component l deviations pertinent to the current plant state. Mode and equipment dependency is implemented both through alarm logic changes and setpoint changes. An example of mode dependency is the ! reduction in the low pressurizer alarm setpoint to avoid a nuisance alarm after a normal reactor [ trip. Equipment dq=taat logic is used to actuate a low flow alarm only when an upstream pump is supposed to be operating. Four modes have been selected which correspond to significant changes in the alarm logic based 3 on the plant state. These modes are:

1. Nonnal operation ,

2. Heatup/cooldown 3

3. Cold shutdown / refueling 4.' Post-trip Mode change is discussed in Section 18.7.1.5.

l 1 e Audible alarm information in Nuplex 80+ Distinct sounds / tones are provided in the Nuplex 80+ control room to indicate the following alarm information: 1

1. New Priority I or 2 Alarms

2. Reminder Tone for unacknowledged Priority I or 2 or Cleared Conditions (periodic while j unacknowledged)

3. Cleared Priority 1 Alarms, or Cleared Priority 2 Alarms (upon beoming cleared)

An audible alarm, tone 1 or 3, is only present for 1 second and tone 2 will repeat periodically, once every minute, until all alarms are acknowledged. If a new alarm condition comes in before the first alarm condition has cleared, an audible tone is presented at that time. e - Flash Suppression Feature in Nuplex 80+ in situations where multiple unacknowledged alarms exist the operator needs to direct his ) I attention to the highest priority conditions. In this situation all other unacknowledged alarms, i.e. v new priority 2, 3,- and all cleared alarm conditions, are added noise that distracts the operator from the most important alarm conditions. In the Nuplex 80+ control room a "stop flash" and I rene Is.7 22 \ L .. : Den @n anneerner. Numan receere snokeerhen

l l System 80+ Design ControlDocument

        " resume" button exists on each console. When the "stop flash" button is depressed the alarm system's behavior exhibits the following characteristics:

1. All new priority 2 and 3 alarms change to existing alarms on DIAS tiles and DPS representations.

2. Any cleared alarm conditions are not presented as alarm conditions.

3. Any new alarm priority 2 or 3 alarm condition coming in after the "stop flash" button has been activated is presented to the operator, however the operator may redepress the stop flash button to suppress these conditions.

The reminder tone informs the operator that unacknowledged or cleared alarm conditions exist. This also serves to remind the operator that the alarm suppression feature is engaged. To reinstate normal alarm features the operator actuates a " resume" button which returns all unacknowledged and cleared conditions to their normal representational alarm status (i.e., fast and slow flashing respectively). The alarm suppression button is backlit after actuation to indicate that the feature is active.

Operator Established Alarms In addition to preestablished alarms the Nuplex 80+ alarm handling system allows the operator to establish his own alarm conditions that can notify him of changes in equipment performance, continued degradation of processes, or other changes in process performance. The operator is able to establish a new alarm associated with any DPS data base point. A display page listing is available for the operator to review the operator established alarm setpoints.
Operator Aids Operator aids consist of information that is helpful to the operator for plant control, but does not represent an undesirable condition in a process or component. Examples of Nuplex 80+ operator aids are:

1. Main turbine turning gear engaged.

2. Low pressurizer pressure trip bypass enabled.

Operator Aid information is presented on the DPS. Operator Aid information is presented using a orange underline of the text of the information it applies to. The operator aid information flashes when unacknowledged and then may be acknowledged by the operator, however there is no cleared state. 18.7.1.6 Component Control Nuplex 80+ component control features (e.g., actuations switches / controls) provide the primary method by which the operator actuates equipment and systems. The System 80+ plant has over 1000 components which are controlled from the Nuplex 80+ MCR. This number makes it impossible for an operator to remember many different unique control designs and strategies. To address this problem the Nuplex 80+ MCR has standard philosophies for component control. This minimizes the potential for human error, minimizes the need to reference control logic diagrams and maximizes operator convenience. AMweved Design Material Human Factors Engineerkw Page 18.744

System 80+ Deslan ControlDocenent , i The control features also provide the operator with equipment status information that is consistent with other control room information. ; Nuplex 80+ uses two standard features to operate CCS equipment (e.g., actuations, switching devices / controls),1) CCS Process Controller Displays (e.g., Process Controller for Pressurizer Level in - Figures 18.7.1-16,18.7.1-17,18.7.1-18,18.7.1-19 and.18.7.1-20) and 2) CCS Switch Configurations . (e.g., Figure 18.7.2-3). Process controls including associated switching devices are controlled using CCS

Process Controller Displays. Major flow paths for critical safety and power production success paths are !

~'

controlled using CCS Switch Configurations. The HSI features and component control strategies discussed in Sections 18.7.1.6.1 and 18.7.1.6.2 , discuss switching devices using CCS Switch Configurations, except as noted. Switching device implementation on flat panel control devices like those shown on the Process Controller (which uses CCS

!                Process Controller Displays) in Figure 18.7.1-20 is similar to implementation of CCS Switch Configurations.
                . 18.7.1.6.1         Cosnponent Control Man-Machine Interface Features Switch Types
                                                                                                                                              \

18.7.1.6.1.1 All component control switches for critical function major flow paths are momentary type switches (with 1 tactile feedback), containing a red status indicator for active or open; and a green status indicator for l inactive or closed. Blue and amber status indicator lights / switches are used to indicate and select

      /~'        automatic control. Blue indicates automatic mode while amber signifies the manual mode of operation.

( In addition to huc coding, the red switch is always located above the green switch to reinforce hue distinction. Each switch generates an active control signal when depressed and is inactive when released. f

                 'Ihis design allows the switches to be easily replaced without affecting control of the component. It also facilitates bumpless transfer of control between the MCR and Remote Shutdown Panel.

Each switch is backlit to indicate equipment status / position. To physically distinguish different component types, three types of control switches are utilized to provide visual feedback to the operator: e Type! Pumps, fans, or other components that are the primary means of mass transport in a process (e.g., applies to main transformer circuit breakers). e Type II Discrete state auxiliary components (e.g., isolation valves, dampers). i e Type III ; i Throttle auxiliary components (e.g., throttle valve) i 1 i Pepe 18.7-36 j W W ase0ENiEf = NW99eR feCsers Enphoenny

System 80+ Design ControlDocument 18.7.1.6.1.2 Valves

Tt- Way Valves For three-way valves, where both valve positions are considered open, two red pushbuttons are provided. Each pushbuttonis clearly labeled to indicate the process operation (e.g., to VCT/to RDT). For three way valves a left/right switch orientation is used to distinguish that both controls open the valve. The switches are backlit to indicate the valve position as follows:

1. Switch 1 Red ON - Full open to Position 1

2. Switch 2 Red ON - Full open to Position 2

3. Both ON - Intermediate Valve Position

Isolation Valves Switches for isolation valves or dampers are physically different than other switches to help distinguish their function. Change in valve position is accomplished by depressing the switch that represents the desired position.

Motor Operator isolation valves are provided with mid-travel reversing capability which allows control errors to be corrected immediately upon detection. e Modulating / Throttle Valves Modulating components are classified into four categories that are associated with their operational / control characteristics.

1. Motor-Operated Throttle These valves are modulated by holding the open or closed switch in the desired direction of travel. Analog position indication is provided on a DPS display page and where appropriate on a discrete indicator. The physical representation of the discre:e controls are different than an open/ closed isolation valve to allow the operator to easily distniguish the valve's function. When the valve is in a throttled position (i.e. not full open or full closed) both indicator lights are lit.

2. Electro-Pneumatic Modulating Open These valves are modulated open by pneumatic / air inlet and modulate closed by bleeding off air. Modulating control of this valve type is accomplished on a process controller.

Discrete red / green pushbuttons engage or disengage the process controller as follows: Controller Permissive The red pushbutton is on a split screen switch with a blue permissive indicator with the blue located above red. Selecting this mode permits operation o^ the valve from the process controller. After selecting this mode, if the process control signal is engaged, the blue status light is lit. The red status lamp lights when the controller, either manual Approwd Desigro MeterM. Human Factors EnghwerM Page 18.7-36

M i

System 80+ oenlan conemt oceanent , or automatic, modulates the valve off the closed position. Both the red and green I switches are lit in addition to the blue / permissive when the valve is in the intermediate position. If the green /close discrete switch is selected, process control is disengaged and the valve returns to the closed / fail condition by bleeding off air, usually assisted by a spring. . l r

3. Electro-Pneumatic Modulating Closed 1 1

These valves are similar to valve type 2., i.e., modulating open, however air is used to l b modulate the valve in the closed direction. The green /close switch is a split screen with ; the blue permissive to help indicate valve type and the blue located below green. The I selection of the red switch causes air to bleed off and bring the valve to the open/ fail ; position.

4. Electro-Pneumatic Modulating Open/ Closed-Air l It is used to modulate the valve in both the open and closed directions. This type of ;

valve has no discrete control switches on the control panel. Control is accomplished on L a process controller. 1 18.7.1.6.1.3 Status Controlled Components The Nuplex 80+ MCR and RSR design allows administrative control of the state or position of components (e.g., Safety Injection Tank Isolation Valves) whose improper operation (e.g., unauthorized, 3 lyp/ inadvertent) could directly result in an unsafe plant condition or major equipment damage. Two methods of administrative control are used:

1. " Procedural Control" - The changing of state or position of components is regulated only via administrative procedures.

~

2. " Status Controlled" - The changing of state or position of components that are " status controlled" are required to be under " Procedural Control" and must utilize two discrete operator actions. The control devices are required to be enabled from their respective operator's module or equivalent device prior to operation of the component's control device (e.g., CCS Switch Configuration, CCS Process Controller Display). This enabling step replaces

. the " key lock" function in conventional control rooms. 18.7.1.6.2 - Component Control Sk@ 18.7.1.6.2.1 Control I = don Component controls are located in the MCR, Remote Shutdown Panel (RSP) and/or Local Control ! Stations (LCS) (i.e., local to the equipment being controlled). For the MCR and RSP only one control station is active at a time. The NUPLEX 80+ design provides switches near each control room exit for transfer of control from the main control panel to the remote shutdown panel. Actuation of the

A switches at either exit initiates each PPS channel division of the ESF-CCS, and each division of the U Process-CCS to perform a soft transfer to deactivate the main control panel as a control interface and to

                 ' activate the remote shutdown panel control interface.

Annoweneekn ascendet. Menen Feceers Engheenkt Page 18.7-37

System 80+ Design ControlDocument The Maintenance & Test Paxis in the channelized Equipment Rooms also provide a backup means for performing the transfer of control from the main control room to the remote shutdown panel. Alarms are generated if a component is repositioned locally or control from the MCR or RSP is disabled. The alarm prioritization is based on the potential system level impact (e.g., bypassed or inoperable status positioning). 18.7.1.6.2.2 ESFAS Control Signals ESFAS signals have priority over operator commands and most other automatic control signals. Exceptions to this philosophy apply to automatic control signals whose function is equipment protection (e.g., electrical fault protection, lube oil interlocks, overload protection). Themial overload protection devices are not used on MOV circuits, but provide alarms. Operator override capability for ESFAS signais is provided on all ESF actuated components. The logic is such that the override may be executed on a component basis only after the ESFAS signal has actuated. The override is executed by activating the control switch corresponding to the ESFAS initiated component position (this is an acknowledge function only) and then the control switch for the newly desired position (this repositions the component). When the ESFAS signal clears, the override logic also clears, such that i subsequent ESFAS actuations are not bypassed. l There are no alarms or status lights required for the override condition at the component level. However, alarms are provided for improper component line ups during actuation of an ESF system. See Section 18.7.1.8 which describes ESF Actuation Status Monitoring as part of the Nuplex 80+ Success Path Monitoring Feature. ESPAS operator overrides may be executed from the MCR or from outside the control room at the RSP. Separate override circuits are provided for each ESFAS signal actuating a component. In this manner override of the first signal will not bypass or preempt actuation of the same component by subsequent same or different ESFAS signals. 4 l When an ESFAS signal clears (i.e., returns to the unactuated logic 0 state) the component will remain in its pre-cleared position. This will be the ESFAS actuated position or if the ESFAS signal had been overridden the new operator selected position. Once the ESFAS signal is cleared, repositioning of the component will occur only by a subsequent operator command or by an automatic control signal. 18.7.1.6.2.3 Bypassed or Inoperable Status Monitoring i Regulatory Guide 1.47 requires alarms for system level inoperable conditions which may result from , bypassed or inoperable conditions at the component level. The intent is to identify ESF system l unavailability prior to its actual need. The monitoring of component level inoperable and bypass conditions and determination of impact at the system level is provided through coordination of logic residing in the CCS and DPS. The following items are monitored as conditions that may render components bypassed or inoperable: e Loss of control power through opening of breakers or local disconnects. e Loss of power to control logic circuits. Approved Design Material & man factors Engrree+rg Page 18.7 38

System 80+ - Deedser ceneretnoew=rt l

Removal of logic circuit cards, o Transfer or disconnect of remote control circuits to enable local control circuits.

    . The system level monitoring design consider the fact that loss of control or logic power to the component         .

may be an abnormal condition, but since many components are designed to be fail-safe or fail-as-is, the failure state may be acceptable at the system level (i.e., the component is inoperable but the system is not). In addition to component inoperable conditions, the monitoring system also considers . component misalignments. Provisions are also provided for manually inputting uninstrn==M equipment and other , uninstr"==M malfunctions. This applies to locally controlled uninstrumented components (e.g., hand- ! wheel valves), remote-manually controlled instrn==M components and other uninstrum*M failures that could render a system inoperable. Remote manual components are those that are not **='d by ' ESFAS signals and, therefore, could be misaligned by the operator. The positions of uninstrumented locally controlled con v enests such as valves in test lines, and other uninstrumented malfunctions, can be manually entered into the SPM algorithms from an operator interface provided in the control room. ; in either case, the SPM logic processes the position information to determine the effect on system level performance or availability. 18.7.1.6.2.4 ESF Actuation Status Monitodag l ESF component actuation status monitoring is provided as an integral part of the Nuplex 80+ design. Upon the initiation of an ESFAS, the design allows the operator to determine if all components in the corresponding ESF trains have responded properly. The system usually identifies to the operator those components whose state does not match the ESF deaMM state and their impact on the ESF system response (e.g., is the system performing its intended safety function). This monitoring system performs it's function when an ESFAS has been initiated, through to completion, and until reset occurs at the system level. In general the following conditions are considered in the design: e All component bypassed and inoperable conditions identified in the previous section that will or may impact proper system responses during the accident sceaario. e All individual ESF component overrides as described previously that will or may impact proper i system response during and after the accident scenano. 18.7.1.6.2.5 Interlocks and Actuation Signals This section defines generic Nuplex 80+ designs for component control interlocks and actuation signals, i I These are signals from process instrumentation or status signal interfaces between components. e Interlock Signals j

4. Interlock signals are those that inhibit operator or automatic control action until the condition is satisfied. Interlocks only perform permissive functions and do not cause repositioning of l V components. Interlock signals that inhibit operator action cannot be overriiden by the operator.

      ----                                                                                                 ,,n,          l

1 l System 80+ Design ControlDocument I

Actuation Signals An actuation signal repositions the component. An actuation signal can not be bypassed by the operator prior to its actuation. In some cases an actuation signal can be overridden by the operator after actuation. Depending on the nature of the desired override capability, the actuation signal logic is implemented in one of three ways as explained below:

1. Priority - 1 (No Override)

This is the highest priority implementation. When the actuation signal is active (logic 1), operator and other automatic control signals are blocked and the component is controlled by the actuation signal. As long as the actuation signal is active the component position cannot be changed (i.e. no override). This type of signal is used generally for equipment protection (e.g. pump trip on low lube oil pressure) and plant safety.

2. Priority - 2 (Surveillance Override)

When the actuation signal is active (logic 1), this override blocks automatic and manual control signals to reposition the component. The component is held in the actuated position as long as the actuation signal is active. The signal can be overridden by the operator by depressing and holding the control switch for the newly desired position. When the switch is released, the actuation signal returns the component to its demanded position.

3. Priority - 3 (Unrestricted Override)

When the actuation signal is active, this override repositions the component. This signal does not block any other active control signals. If any otP aff signal (operator or automatic) becomes active the component responds to w command. This type of signal is used when the control action is routinely required but where the need to change the component position is foreseen for some situations (e.g., diversion of VCT inlet valve to pre-hold-up lon Exchangers on VCT High Level). For the three actuation signal types described above the component generally remains in the actuated position when the control signal clears. Repositioning of the component is accomplished by subsequent operator action or by another automatic control signal. In certain cases it is desirable to automatically reposition the component upon clearing of the actuation signal. In this manner, subsequent to repositioning, unrestricted operatcy control may resume. There are no indicators or alarms specifically to identify overriding actuation signals. However, if the override results in a system level problem other alarms are generated. 18.7.1.6.2.6 Operator Selected Automatic Control Signals This section describes generic Nuplex 80+ designs for automatic control signals that are enabled and disabled by the operator. This section pertains to discrete process related controls. Process controllers and automatic signals relating to equipment failures are addressed in the next Section. For components that have discrete automatic process control signals that are enabled and disabled by the operator, an additional switch (s) is provided at the operator control station to activate or deactivate the Aptwoved Design Material. Hurnan factors Engmeerkg Page 18.7-40

t System 80+ Desina Coa 8ro#Doemneat !

I

    - auto mode. There is always one auto switch for each unique automatic mode that is to be individually               -l enabled. As with all other operator control functions, the switch is a momentary type. Depressing the switch sets the Auto Mode latch.                                                                                     ,

A backlight status indicator is lit when the auto mode is enabled. ; e ; Automatic Control Signals Setting the auto mode enables the automatic control signal (s). Automatic control signals generally j reposition the component in both directions. This occurs either from a single signal or two separate signals (one for each direction). When the auto mode is enabled the operator can , override the automatic control signals and initiate manual co-.. ends by depressing either of the l manual control switches. l l

Auto Mode Selection For Individual Cun.yeneiss Components that operate automatically but independently of other components have their own auto mode selector switch as shown in Figure 18.7.2-3. There is one selector switch for each j unique auto mode. The switch is located with the manual controls for the component. The auto mode latch is reset by actuating the desired manual switch (on/open or off/ closed). !

       *     . Auto Mode Selection With Multiple Components                                                                l l

There are many control designs that require multiple components to be controlled by the same j automatic control signal. For these situations the configuration of the auto mode switch depends on the control design as follows:

1. If each component is enabled / disabled individually with no restrictions then there is one switch for each component.

2. - If all componrats are enabled together as a group, then there is one auto mode switch (as opposed to rue for each component). This switch is located and labeled to show its group orientation. The auto mode is reset by manual actuation of any component in the group.

3. If multiple components are interlocked such that only certain auto mode combinations are selectable then there is one switch and status indicator for each component. The switches are interlocked to limit the selections. These switches are located and labeled to show their group orientation. Typical switch and logic configurations are described below:

                      -          A or B (not both, but always at least one)

Two switches interlocked so the selection of B resets the selection of A and vice , versa. For additional components, switches are added one per component l interlocked in the same manner. _ m ._ _ ,._. w ~. ra. ~ ,

System 80+ Design ControlDocument

                  -        A or B, or neither, (but no' both)                                                    !

Two switches interlocked as in A above. In addition, to select neither, either of the manual control switches (on/open or off/close) for either component is depressed. For additional components, switches are added one per component interlocked in the same manner. It is noted that the addition of mode selector switches as defined above applies in the presence i of automatic control signals only. If there are no automatic control signals but it is necessary to ' limit the number of components manually selected by the operator, the control logics for the components are interlocked without adding additional mode selector switches. The interlocking is arranged such that the on/open status of one component is an automatic actuation signal to deenergize/close and block repositioning the second component.

Auto Mode Selection for Control Sequences Control configurations that involve two or more components and two or more automatic control signals are referred to as Automatic Control Sequences. Typically these involve components arranged in a "First to Run, Second to Run," and so forth type configuration. There is one auto mode selector switch for each unique operating sequence, not each component as in previous sections. Typical switch arrangements are as follows:

Two Components - AB,BA Three Components - ABC,BCA, CAB As in the previous section these switches are located to show their group orientation. When a component is manually actuated on/off or open/ closed, the auto mode of only that component is reset. This design permits the operator to take a particular component out of Autt while allowing the remaining ones to respond automatically. Also they are interlocked in the same manner for "at least one" or "neither" selections. Switch labeling defines multiple components (versus individual components) to distinguish sequence controls from simultaneous operation of multiple components as in the previous Section. It is re-emphasized that this switch configuration pertains to process related auto control signals only.

Automatic Rotation of Control Selections The control selections defined in the previous sections determine a fixed arrangement of component operation. Changes to the auto mode to select a different component combination or a different operating sequence are made by the operator. For some control configurations it is desirable to automatically change the auto mode selection. This is usually done to equalize component wear. The automatic rotation may be a function of operating time, a process parameter, and so forth.

For these situations the auto mode selector switches remain as previously defined and another switch is added to enable or disable the automatic rotation action. This switch fimetion is implemented identical to the auto mode selenion itself. A momentary type switch toggles a flip- ' flop to enable or disable the function and a status light indicates that the auto rotation is enabled. It is noted that the automatic rotation signal selects the new auto mode as if it were selected by Attwaved Design Meteriel Human Tectors Engkneen%g Page 18.7-42 i

a .! l System 80+ Deenan coneralooewnent the operator. The control board status lights change accordingly. Enabling the auto rotation , function does not preclude manual selection changes by the operator. Standby Control Functions j 18.7.1.6.2.7

This section describes the general Nuplex 80+ designs for detecting component discrepancies and j automatically starting backup or standby components.

;                          e        Standby Control Definition
                                    " Standby Control" is the term used in reference to control configurations where a component automatically starts in response to a failure of another component which was previously I                                    operating. This design feature normally applies to pumps or fans. The design is generic and is                               ,

j applied to two component configurations or configurations with more components. i, ! *- Enabling Standby Control ; 1 ; j The operator enables standby control, for the entire group of components involved in the control i configuration, with one switch. Only one switch is used regardless of the number of components

                         .          in the group. As for all other control switches it is a momentary type. Depressing the switch toggles a logic flip-flop to set and reset (enable and disable) the standby control logic. A status                           {;

indicator lights when standby control is enabled.

1 i e Detecting Component Discrepancy I i To detect component discrepancy it is necessary to first determme that the component should be j operating. To do this the logic contains a " component operating" latch which is set by all manual and automatic start signals. Note that for standby control, there is no distinction in the method of component starting. The intention of the logic is to determine that the component should be operating and then properly detect when it is not. To determine that the component should not be operating, this same latch is reset by all control signals that represent normal automatic and manual stopping conditions. Excluded from this would be all abnormal stop signals which are signals relating to any condition indicative of equipment malfunctions. This would include electrical faults, low dit.lnarge pressures, low lube oil pressures, breaker open status contacts, etc. One or more of these abnormal stop signals are used to detect the component failure. To do this the abnormal stop signals are combined with a delayed output of the previously described latch. The latch output is delayed to allow any pre-start conditions to clear (e.g. low discharge pressure). The component failure signal is then used to start the next component in the operating sequence and generate a common component failure alarm. The component failure alarm clears only after the " component operating" latch is reset by a normal stop signal (e.g., operator depressing STOP pushbutton). I O l 4 4 proved Oss@n Asesordsh mmears Feessrs anshserty page 78.7-4.7 _ , _1

l l System 80+ Design ControlDocument i

Determining and Staning the Standby Component ,

Where only two components (e.g., A and B) are involved, the component failure signal from A starts component B and vice versa. The same design is used with multiple components and the signals are cascaded in the same manner, l j 18.7.1.6.2.8 Process Signal or Component Selection ! There are many control designs that permit the selection from redundant process instrumentation channels (e.g, X or Y) as input to a (or a set of) component control logic (s). If one or multiple components are to be controlled by a selectable process control signal, then there is one switch and status indicator for each available process instrumentation channel. l The standard switch configuration for two channels: (X or Y-not both, but always at least one) is two switches interlocked so the selection of "X" resets the selection "Y" and vice versa. For additional i channels, switches are addec ]ne per channel interlocked in the same manner. 18.7.1.6.2.9 Component Discrepancy The DPS and DIAS normally display abnormal component conditions via VDU and alarm features described in previous sections. In addition a component discrepancy operator aid occurs when the demanded state of a component (demanded by remote, automatic control action) is found to be different from that of the component. This operator aid is also displayed as a flashing status indication provided on the component switch backlights to aid the operator in identifying these same abnormal conditions. j i I The control switch flashing status may be deactivated. This prevents the operator from having to walk around the control room to acknowledge each flashing switch. Acknowledgement is through the VDU or alarm tiles when the control switch flashing status is deactivated. DPS Component discrepancy Operator Aids have the following properties:

1. Operator Aids coding of the descriptor for the component

2. When acknowledged, displays the message " Component discrepancy: Re-arm control logic at the switch" l

3. When the clear Op Aid signal comes in, due to re-arming of the logic, the Op Aid resets.

18.7.1.7 Process Controllen i Process controllers are dynamic interactive graphics display devices used by the plant operator to monitor l and manipulate process control functions. Process controller design is based on programmable flat panel j visual display technology with touch sensitive screens. Each process controller display is designed 1 (programmed) for its specific application in accordance with a standardized graphics template to provide design and operational consistency. This design approach minimizes potential for operator-induced I process control errors. Apywoved Design Moronia! Human Facto:s Engineerktg Page 18.7 44

I Svtem 80 + oenlan controlDocument

      . The process controllers allow control of throttling or variable position devices (such as electro-pneumatic
       . valves) and associated switches from a single control panel device. Process controllers are used for

closed loop control of many types of process variables, including: pressure, temperature, level and flow.

Process controllers are designed for each specific control loop utilizing the generic display and control j features described in this section. e- Process Controller Operation 2 The process controller facilitates both supervisory (master loop) control and individual (subloop) control and monitoring of process control functions. Each process controller is dedicated to only its process control function. The standardized display is divided into static and dynamic sections as shown in Figure 18.7.1-16 (Pressurizer Level Control is used as a typical example). In the static sections, only parameter values and text labels vary. Touch targets in these sections remain fixed. Conversely, graphics in the dynamic section change upon operator demand based on touch target selection from the l 5 static sections. Touch targets are indicated by a rectangular box surround (i.e., a button) to distinguish them from labels and data. i Master loop and subloop control sections include a bargraph representation of process deviation ; from setpoint as applicable. Normal deviation band is also included as part of the scale. Bargraphs are aligned with setpoint selection targets and controlled parameter selection / display , targets are located directly above. This information, in conjunction with process trend ,

information on DIAS displays provide a concise representation of control loop performance at j 4

a glance. Loop operating mode (i.e., SEMI-AUTO, AUTO, MANUAL), demand (i.e., OUTPUT) and subloop component selection (i.e., CH-XXX) are also displayed in static sections.

1. Master Loop Control Signal Selection j

Figure 18.7.1-17 demonstrates operator selection of the master loop control signal. The : , operator touches the VALID target in the master loop control section and the target changes to reverse video. Upon removal of the finger from the screen, menu appears in the dynamic section. A label above the dyn> m section identifies the current display.

This control signal selection menu identifies % level signals that can be assigned as the master loop process variable. Possible selections are L-103N, L-110B, L-110A, VALID ;

or VAleCOMP (temperature compensated valid). Also shown are selectable temperature compensation signals. The currently selected % leve. signal (VALID) is highlighted by

                       " selection" coding.                                                                                        ;

t Upon completion of selection, the operator may leave the display as is, delete the dynamic section by selecting CLEAR which returns the display to that as shown in l Figure 18.7.1-16, or overwrite the dynamic section directly with an alternate selection , , from any static section. In any mode, the display automatically updates variables including deviation bar graphs and status text. O , t Approweet Donon aseeeniel

knen Feceus Enokeenne Pepe 18.745 I

f

System 80+ Design ControlDocument

2. Subloop Control Setpoint Selection Figure 18.7.1-18 demonstrates operator selection of a subloop control setpoint. The operator selects the setpoint target in the letdown section revealing the setpoint display as shown. This display has a bargraph which shows the current letdown flowrate. On either side of the bargraph are arrows which show the master setpoint and operator setpoint values for the letdown subloop. The bargraph is directly centered below setpoint values digitally. Setpoint arrows are oriented such that the digital setpoint is displayed above its respective arrow.

A label above the dynamic section identifies the current selection (Letdown Flow Serpcint). When the operator setpoint is selected, it is increased or decreased by touching the UP or DN touch targets. Upon completion of setpoint manipulation, this screen is deleted or replaced by methods described in item 1) above.

3. Subloop Operating Mode Selection Figure 18.7.1-19 shows a typical operating mode selection display. The operater selects the OUTPUT target in the letdown section revealing the dynamic section display as shown. A label above the dynamic section identifies the current selection (LTDN FLOW OUTPUT DEMAND). The current selected option (Manual) is highlighted by

                " selection" coding. The current output (40%) is also displayed. In the manual mode, the output is varied using the UP or DN touch targets and an arrow with scale is included to indicate the rate (slow or fast) of manual output variation.

4. Subloop Component Selection Figure 18.7.1-20 provides an example of a typical component selection feature using the letdown control subloop. The component selection target (CII-201P/CH-201Q) is selected in this section revealing the component display as shown. This display replaces discrete control switches on the control panel and mimics their operation for components controlled by the subloop. In this example, CH-20lP is selected and CH-201Q is not as exhibited by SELECT target selection coding. Component status is displayed via the component symbol (filled = closed, partial filled = intermediate position, hollow =

open). This symbology is consistent with that used for DPS displays. Touching the SELECT target arms the components for controller operation based on subloop demand while touching the CLOSE target causes the component to close. The selection examples described above are similar for other selectable process controller functions. 18.7.1.8 Safety Related Inforination in Nuplex 80+ Safety-related information is integrated into the control room to allow its use by the operator, where possible, during normal operation. 1 The following is a summary of safety-related information in Nuplex 80+. Details concerning specific presentation methods (e.g., DIAS) are presented in earlier Sections of 18.7.1. Appmed Des > afstenle! Human factors Engineering Page 18.7 46

System 80+ Design ControlDocument 18.7.1.8.1 HSqfety-Asisted Dars))! Section 7.5 provides a complete discussion of the Nuplex 80+ approach to providmg safety-related display instrumentation including compliance with Regulatory Guide 1.97. In many situations, safety-related pam.irers are only a subset of the parameters that monitor a particular process. Operators of present control room designs use control or narrow range indications during process control and use separate safety related indications when monitoring plant safety concerns. l(For Nylex 80+ the same indicators usedfor nonnal operations are usedfor monitoring and control of safety-related situations. Dese indications are validatedfor accuracy against the safety-related parameters. If a process representation value deviates excessivelyfrom the associated PAMI Channel data, a validation alarm is generated. In response to an alarm condition, the operator can review the individual channels associated with theparameter on either a diagnosticDPS displaypage or the discrete indicator displaying thatparameter. At this time he can select the indicationfrom the most appropriate

   . sensor for display, including that from post accident monitoring instrumentation. De operator is informed when the validation algorithm is not able to validate the data via the alarm system. De resultant output of the validation algorithms are used on IPSO, the discrete indicators, and the higher level display pages that contain the parameter.

In addition to the DPS and discrete indicator displays integrated into each panel, the Regulatory Guide 1.97 Category 1 hformation is also displayed by an independent discrete indication or channel at a single location on the safety monitoring panel. Nylet 80+ conplies with NUREG-0737 Supplement i requirements. Defollowingis a summary ofhow ( Nyler 80+ conplies with the eightprimary supplement 1 requirements: q

1. De Nuplex 80+ Admnced Control Complex provides a concise display of criticalfunction and success path performance indications to control room operators via the Data Processing System (DPS), i.e., theplant conputer.

2. Criticalfunction information is provided through a dedicated DPS criticalfunction displaypage hierarchy andis amilable on allDPS VDUs in the Nuplex 80+ control cono p lex. Dere is a DPS VDU on every panel section in the controlling workspace (e.g., RCS, CVCS, ESF, etc.).

3. De IPSO big board display is a dedicated display which continuously shows all criticalfunction alarmt and key criticalfunction and success path parameters to the control room operators.

4. De DPS system, which provides the Nuplex 80+ SPDSfunction, has a reliability ofgreater than 99.99 %

5. De DPS accommodates thefailure of any single hardware element so that no singlefailure will disable any ofitsfunctions. De DPS isfully isolatedfrom all safety systems.

6. De DPS HSIdesign is developed according to a comprehensive set ofHuman Factors Standards and Guidelinesfor System 80+.

' I NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction Section 3.5.- Approved Dook asseerdsf. Museen Fecesrs Euphostisqr Aspe fa.7-e7

System 80+ Design ControlDocument l 7. AllSve (reactivity control, reactor core cooling and heat rernovalfrom the primary system, reactor coolant system integrity, radioactivity control, and containment conditions) of the safety function elements are included in the DPS Critical Functions Monitoring hierarchy whichforms the basis of the Nuplex 80+ SPDSfunction.

8. The System 80+ CriticalFunctions Monitoringfunction (SPDS) is developed in a complementary (parallel) fashion with the development of System 80+ Emergency Operations Guidelines.

Generic emergency procedure guidelines are used during the design process.}}' Attachment 2 of Reference 2 provides a more detailed explanation of how Nuplex 80+ complies with NUREG-0737 Supplement I requirements. 18.7.1.8.2 Critical Function and Success Path Monitoring Critical Function and Success Path (availability and performance) information is integrated throughout the Nuplex 80+ infctmation hierarchy. The critical function and success path monitoring application programs in conjunction with the continuous IPSO display and the DPS VDUs meet SPDS requirements for Nuplex 80+ without using stand-alone monitoring and display systems. Alarms provide guidance to unexpected deviations in critical functions as well as success path unavailability or performance problems. Alarm priorities are assigned based on the proximity of the alarm setpoint to a significant operator action corxlition. Section 18.7.1.1.4 provides a more detailed explanation of alarm priorities. IPSO continuously provides overview information that is most useful for operator assessment of the critical functions, see Section 18.7.1.1. Each box within the matrix highlights the presence of alarms that threaten the specific critical function. The display format for the box indicates the highest priority of all l related alarm conditions. Supporting information relating to critical function alarm conditions is available by using the alarm tiles on the critical functions section of the DPS display page hierarchy. The critical function section of the display page hierarchy contains the following information: e Level 1 Display Page This " Critical Function" overview page provides more detail on the critical function matrix presented on IPSO. More detail is provided on alarm conditions (descriptor) to help guide the operators to appropriate Level 2 Critical Functions display pages. A typical Level 1 Critical l Functions display page is shown in Figure 18.7.1-13. j e Level 2 Display Page A second level page exists for each of the twelve critical functions. Each page contains:

1. The critical function information provided on the 1st level display page that is associated with the critical function.

l 4 1 NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction O j Section 3.5. l Anwowed oesign Metuint. tkunen Factors Engineerkw (2/95) Page 18.7-48 l j

_ _ _ _ - . = _ . . _ . _ . _ ._ _. . _ . _ . _ _ _ _ _ . _ . _ _ . _ _ . _ t Sv=*== 80 + onesan canear coeument

2. information related to success path availability and performance of the success paths that

                                          .can support that critical function.

3. HighLievel process information presented using a mimic format with the critical )

4 function / success path related information. l

4. A time trend of the most representative critical function parameter, when a trended

                                          . parameter provides useful information for understanding if the critical function status is improving, degrading or stable.

A typical level 2 critical function display page is shown in Figure 18.7.1-14. e Level 3 Display Pages i: i . The third level display pages in the critical function hierarchy are duplicates of display pages ! existing elsewhere in the hierarchy. These diagrams mimic success paths that can be used to satisfy the critical function represented on a level 2 display page. For example, the safety injection display page under Inventory Control also exists within the primary section of the display page hierarchy. A typical Level 3 critical function display page is shown in Figure 18.7.1-15. . o Other Critical Function / Success Path Information In addition to the critical function display pages the following information helps support the operator's notification and response to alarms and other information associated with Critical Function and Success Paths:

1. ESP Monitoring Module The indication of problems associated with success path availability are indicated on an ESF monitoring module, located on the ESF panel (See Figure 18.7.1-12). This module contains columns for each safety related success path and provides indication by success path train on system unavailability. The ESF module provides a single location where the operator can observe the unavailability of safety sy.tems on a per train basis. These conditions generate priority '1, 2, 3 alarm conditions. These alarm conditions are indicated on IPSO by alarm coding of the success path's descriptor.

2. DIAS Displays The Discrete Indication and Alarm System (DIAS) processes and displays selected plant parameters and component status. The resulting indication and alarms are displayed at the parameter and component level. DIAS does not process critical function and success path related alarm algorithms. The DIAS indication and alarm information displayed is consistent with any critical function algorithm or success path algorithm information since both systems use the same process parameter and component data. Critical function and ,

success path information processing is based upon generic parameter and component i algorithms used in both DPS and DIAS. s Amw**enesen assaww #wnen reeams rasmessey as,s re.7 4s -

System 80+ Design ControlDocument

Critical Function / Success Path Information Table The following provides a list of information displays / indications that provide the operator with critical function / success path information.

Operator Interface Feature Information

1. IPSO Priority 1, 2, 3 Critical Function / Success Path alarm indication; Safety Function Status Check selected.

2. ESF Monitoring Module Safety Parameter status (ESF Monitoring Panel) by train (for safety systems encompassed by Reg. Guide 1.47).

3. DIAS Displays Alarm information depicting critical funbtion and success path parameter problems.

4. DPS VDU Displays Critical Function section of Information hierarchy and alarm information in lower level pages (i.e., 2nd and 3rd level) depicting success path problems and critical function parameter problems.

18.7.1.9 Operators' Modules Operators' Modules are provided in Nuplex 80+ for operator interaction with specific I&C systems or functions (e.g., PPS, MDS, CPC, CCS, Control Element Drive Mechanism System). These modules and features are not included in the six standard HSI monitoring and control design features described in Section 18.7.1 because the functional requirements are unique for each system. They will be designed in accordance with the standard Nuplex 80+ information and control system conventions and the criteria specified in the Human Factors Engineering, Standards, Guidelines, and Bases for System 80+ (Section 18.4, Reference 6). A suitability verification will be performed on each system or function operators' module in accordance with the HFE Verification and Validation Plan (Section 18.4, Reference 3). Other as yet unspecified features will be developed using this same process. 18.7.2 Nuplex 80+ Information/ Panel Layout Criteria Information/ Panel layout is a Human-System Interface design process activity governed by and described in the iluman Factors Program Plan for the System 80+ Standard Plant Design (Section 18.4, Reference 4). A procedure was established to develop main control room panel layouts that meet a consistent set of criteria. Nuclear power plant control room design effons are normally carried out by several engineering organizations. Because of the diversity of organizations involved, the possibility exists that diverse criteria and procedures will be followed. Since the chances of achieving consistent main control panel layouts are reduced if this occurs, a set of design criteria and an established methodology are necessary before design begins. This section presents the criteria used and is followed by the step by step procedural method to implement the criteria. The two main purpores of this approach are: O Apswoved Desigrs ninteriet. Human Factors Engmeering Pope 18.7 50

' System 80+ Desfen Coneof Document (

to document the Nuplex 80+ main control room design process that ensures appropriate' human engineering and that standard design practices are utilized in the design of the Nuplex 80+ main control panels and; e to provide the layout criteria and procedures utilized such that each individual involved in the i i

design can develop an individual area of the control panel layout utilizing common philosophy and methodology. (Figure 18.7.2-1) The Nuplex 80+ Control panel controls and indications are arranged by criteria that were established prior to panel design to ensure that consistency exists throughout the design process. The criteria include l arunging controls and indications consistent with their operational function, evaluating the use of the l control room in many operational modes, and making provisions for changes which may be required in l the design. The procedure implementing these criteria consists of three main parts: i

Part I: Determination of functional groups and assignment to respective control panel sections.
Determination of required control and indication devices and assignment to i Part II: !

appropriate functional groups. 1

Part III: Detailed arrangement of the devices within the functional groups. :

The sequence of the steps listed above looks first at what is required functionally by the operator. s Following specific criteria, the control room configuration as a basis, the functions required to be performed in the control room are placed on the control panels. The second portion of the effort involves determining and categorizing all control and indication devices required in the control room. The control and indication devices are assigned to the selected functions. The third and final portion involves arrangement of these devices within the functional groups according to specific criteria for detailed panel l layout. Evaluation of the design is performed in the first and third step. In the first step a high level . operational analysis is performed, based on function only. A full operational analysis is performed using procedures and operational, engineering and human factor personnel in the third step. 18.7.2.1 Part I: Detennin: tion of Functional Groups and Assignment to Respective Control Panels ; The first step in arriving at main control panel layouts involves four basic tasks.

Based on the functional task analysis, Emergency Operations Guidelines (EOG) and plant operating sequences, functions performed by the operator during various operating modes are

. detennined. [

These functions are assigned to the main control panels based on the configuration defined in ;

Section 18.6.5.

The functions are arranged on the assigned panels.

t

A high level operational analysis is performed based on the functional arrangement.

. 'O 1 O-. -- U 088$R M

h AltGBr8 ffydNOSPihr Pope fS.7 57 j

_a ._ _ _ _ l

System 80+ Design ControlDocument 18.7.2.1.1 Nuplex 80+ Control Room Organization Prior to the development of control panel layouts it is necessary to establish the NUPLEX 80+ control room functional organization, (see Section 18.6.5 for a more complete discussion of the panel configuration within the control room). The Nuplex 80+ controlling workspace consists of two main operational areas, the MCC and the ACSC. The MCC is the area where normal operations take place. The controls and indications located on these panel sections provide an operator with the capability of maneuvering the plant from hot shutdown to full power operation and return to hot shutdown. The MCC is designed for standing or seated operation. The ACSC is the control area where infrequent auxiliary and safety operations take place. These panels are designed for standing operation. 18.7.2.1.1.1 MCC Functional Organization The MCC design basis requires that all controls and indicators be provided to perform the following tasks:

Perform monitoring and control tasks associated with maneuvering the plant from hot shutdown to full power operation and return to hot shutdown.
Monitor major automatic controls (i.e., pressurizer automatic pressure and level controls) to maintain plant availability.
Perform standard post trip actions following a reactor trip.
Maintain monitoring capability of plant investment concerns.

The MCC is organized into two functional areas. NSSS functions are located on the left, and BOP functions on the right. Each of these areas are assigned specific panel sections based on the frequency of their intended use. Those panels that contain functions performed most frequently are placed toward the center of the console (see Figure 18.6.5-2). This is discussed in more detail in Section 18.6.5.1. 18.7.2.1.1.2 ACSC Functional Organization The ACSC contains all controls and indications necessary for functions performed on an infrequent basis for monitoring and control of the auxiliary and safety systems. The Safety Console consists of a group of functionally related panel sections which contain all controls and indications necessary for the operator to cope with all design basis accident conditions. The Auxiliary Console contains functions which are not required to be accessed frequently for normal power operation but are required infrequently or for operation in other operating modes (i.e., Technical Specification Modes 3-6). The ACSC panel configuration is discussed in more detail in Section 18.6.5.2. 18.7.2.1.2 Criteria for the Determination of Functional Groups The Nuplex 80+ functional design process is based on operator functions as the primary design criterion. Even though there is often a definite relationship between operator and equipment or system functions, maintaining the operators perspective during this phase of the design is essential. The operator functions are determined from the functional task analysis results supplemented by a review of normal Appmnd Design Materiel . Human factors Engmeerksg Page 18.7-S2

System 80+ Deslan ControlDocument i and emergency operating sequences and guidelines. The identification of operator functions in the functional task analysis is described in Section 18.5.1. Note that though specific task sequences may vary within a function which is identified in multiple events or procedures, only one function is identified for j

         .the design process. Thus only one functional group is required on the control room panels.                                ;

18.7.2.1.3 Criteda For Assignment to Respective Control Panels ; As discussed in Section 18.7.2.1.1, the Nuplex 80+ controlling workspace is organized into three major ; 4 functional areas each comprised of specific panel sections. Once the functions are determined, they are t located in the controlling workspace based on the operational mode in which they are most frequently performed. For example, controls required for reactivity control during normal power operr. ion are located on the MCC. l 18.7.2.1.4 Criteria for A.r1 " of Functions on Each Panel Section Once the functions have been assigned to panel sections, they are arranged based on their relationship ' to other functions. This is done to insure that functions which are operationally related to one another are placed on the panels for operator convenience. Since the number of controls and indications are not yet known, no finite amount of panel space is assigned to a particular function. This preliminary organization may require iteration once the size of each functional group is determined. 18.7.2.1.5 Cdteds for High level Operational Analysis The last portion of Part I simply involves a check to ensure that all functions performed by the operator 4 O have been accounted for and assigned to the proper panel section for the operating mode in which it is most frequently performed. This is done by walking through guideline and operating sequences and reviewing the panel for all functions identified in the functional analysis. 1 18.7.2.1.6 Pracadure for Determination and Assignment of Functional Groups ;

Step 1

$ Outline functional task analysis data, EPG data and operating sequence data into standard Technical Specification operating modes.

Step 2 Outline EPG and operating sequences into operator functions and consolidate with the functional task analysis functions according to the criteria in Section 18.7.2.1.2.

e Step 3 Assign the functions to the standard Technical Specification operating modes determined in step 1, 4 e Step 4 O V Assign the functions to the respective panel sections based on the criteria in Sections 18.7.2.1.3.

    . Anwomed oeem noneuw. mmen vueue sne enerknr      s                                                     fase ss.r.ss

System 80+ Design ControlDocument l

Step 5 Arrange the functions on each panel according to the criteria in Section 18.7.2.1.4.
Step 6 Perform a high level operational analysis to determine design completeness on a functional level per criteria in Section 18.7.2.1.5. Iterate the functional assignments as necessary.

18.7.2.2 Part II: Determination of Required Control and Indication Devices and Assignment to Appropriate Funcdonal Groups Part II of the procedure involves identification and assignment of all control and indication devices required to perform the functions identified in Part I. The devices are determined from Procedure Guideline Information and Control Requirements from the Functional Task Analysis (FTA), Federally mandated I&C requirements and System I&C Inventory from the system cognizant engineers. The devices are then assigned to respective functional groups. 18.7.2.2.1 Criteria for Determination of Required Devices and Assignment of Devices to Functional Groups The controls and indications required to perform the operator functions determined in Section 18.7.2.1 are obtained from the functional task analysis (Information and Control Requirements), Federally mandated information and control requirements, and System I&C Inventory (from the system cognizant engineering organization). It is then determined how the information is displayed and how the controls are implemented based on the System Description for Control Complex Information System (Section 18.7, Reference 2). The following criteria are used to determine the methods of providing control and information.

All control devices for plant components in critical function main flow paths and the minimum inventory of fixed location controls needed to accomplish credited safety function success path tasks identified in EPGs and Probabilistic Risk Assessment are assigned to fixed position discrete switches (e.g. CCS Switch Configuration).

e Other process controls (e.g. process controllers, switches) may use touch screen (soft) controls ! that use VDU devices (e.g., CCS Process Controller Display) or other control devices (e.g., CCS l Switch Configuration, Operators Modules). Each device is limited to control loops within a related functional group.

The DPS VDU displays are an operator information display interface for all functional groups.

l The DPS VDUs display essentially all plant information sent to the main control room.

Discrete indicators are used primarily to display frequently monitored data to enhance overview f comprehension of system level perfonnance. This data include the major / representative process parameters such as system flowrate or controlled parameters, i.e., temperature for a cooling system. In addition, discrete indicators are provided to meet redundant display requirements for the following information: l

1. Information required for m2intaining power production without the DPS (including plant investment protection) for up to 24 hours. !

l ANwoved Des}pn hteteria!. Human Factors Engmeerhg Page 18.7-54 l l I l

  . _ ~         _ _ _ .                  . _ . _ _         _ ._. .._. _ _ _ ._                   . _ _ . _ _           _  . . . _ .

I System 80+ ' Deelan ControlDocwnent I

2. Display of plant safety related parameters for normal and post-accident monitoring, including continuous display of Regulatory Guide 1.97 Category 1 parameters and display !

of the minimum inventory of dedicated information needed to accomplish the EPG. i

Alarms are provided on DIAS alarm tiles as well as the DPS display system. See Section i

18.7.1.5 for a description of alarm features and characteristics. , 18.7.2.2.2 Procedure for Detennination of Required Indication and Control Devices and Assignment to Appropriate Functional Groups

Step 1 Obtain the applicable documentation that indicates the information and controls that are to be '

located on the main control room panels. This information is determined by the System I&C inventory from the system cognizant engineers and the Procedure Guideline Information and Control Requirements from the FTA.

Step 2 ,

List the operational mode being considered and the function to be evaluated.

        *-      Step 3 Review the documentation obtained in Step 1 to determine the controls and indications necessary O             to perform the function. At this point the Nuplex 80+ methodology for display or control is selected according to the criteria in the System Description for Control Complex Information System (Section 18.7, Reference 2).

Step 4 List the devices required in the appropriate area. This step includes determining parameter grouping on discrete indicators, alarm grouping, switch grouping, and process control loop grouping for display on one device.
Step 5 )

i After all devices have been assigned, review the assignments to determine if any devices have been assigned to more than one functional group. If this is the case, review the task analysis data and operating guidelines and sequences to determine the functions that are perfonned sequentially . or most frequently, and assign the device to that functional group.

Step 6 Review the data obtained in Step I to assure that all information and controls required are provided by the display and control devices identified in this part of the procedure.

i I 4pmed see(sn asesww.menen reenw anymewe, pas, ts.7.ss

System 80+ Design ControlDocument 18.7.2.3 Part III: Criteria and Procedure for the Detailed Layout of Controls and Indications within Functional Groups The final step in arriving at the detailed layout of control and indication devices is to arrange the devices, which have been assigned to the functional groups in Part II, according to specific pane! layout criteria. 18.7.2.3.1 Detailed Device Layout Criteria The detailed layout of control and indication devices within a functional group requires application of several types of criteria. The primary types considered are: arrangement, spacing / demarcation, and identification.

Control Panel Criteria The control panels provide physical constraints that the designer needs to consider during the layout of functional groups. Two types of control panels exist for the Nuplex 80+ control room,

1) Sit-down panels, and 2) Panels for standing operation. The sit-down panels are used at the MCC and the RSP and are anthropometrically designed to accommodate both standing and seated operation. Standing panels are used on both ACSC consoles.

The sit-down panel, and standing operational panel profiles are shown of Figures 18.6.5-11 and 18.6.5-12, respectively. Both types of panels contain 2 panel surfaces. The upper surface is better suited for indications and alarms that need to be viewed from a distance since there is a better viewing angle. The horizontal panel surfaces are better suited for controls to permit ease of access and prevent obscuring indications while actuating controls. Device layouts of functional groups may go across panel breaks to make use of these advantages. The Human Factors Engineering Standards, Guidelines and Bases for System 80+ (Section 18.4, Reference 6) provides standards and guidelines for laying out panel devices.

Device Arrangement There are several methods for the arrangement of devices within a functional group. The three primary techniques applied to Nuplex 80+ panels are described below. l

1. System Flow Path For functional groups that are primarily associated with one system, information l I

gathering tasks are made easier if the information is presented in a format that is similar to the operator's mental image of the system. For a fluid system that contains a number l of components the operator's mental image is typically related to a process mimic j diagram. The mimic diagrams reflect those used during training, if appropriate, or are l designed specifically to reflect operators concerns. The control panel device layouts reflect these mimic diagrams. This technique for device layout is consistent with the associated system layout mimic on the DPS display pages. Functional groups arranged by system flow path should mimic the associated process on a left to right, or top to bottom basis. Parallel rows are used where parallel process paths are encountered. Bold lines are placed on panels to connect component controls when they effectively enhance the representation of the process. Approved Design Motorial . Human factors Engineering Page 18.7-56

1 System 80+ Design ContralDocument E Flow path arrangements are not always appropriate as is the case when several controls are associated with a single component or the functional group contains devices in a > number of systems. The alternate layouts described below are used when device layouts cannot be arranged to resemble mimic diagrams.

2. Sequential !

( l Sequential layouts are typically used for multiple controls associated with large , components or other situations that require device operation in a designated sequence. , n Sequential arrangements are configured in the sequence most frequently used by the , operator Controls are arranged in rows, left to right, and columns top to bottom (i.e., the same as a page of type). '

3. Related Function ;

These indications and controls are arranged in groups based on the related function. , Some functional groups do not fit into the flow path or sequential arrangement methods. !- An example of related function is containment isolation. Containment isolation valves l 1 are extracted from many systems so there is no relationship by flow or sequence. The i L relationship that is common to all is that they perform the same function: isolate the j containment. Note that DPS process mimics also show these valves as part of the individual system flowpaths. ; 18.7.2.3.2 Cdteda For Specing of Indications and Controls The criteria for spacing of indications and controls is contained in the Human Factors Engineering Standards, Guidelines and Bases for System 80+ (Section 18.4, Reference 6). 18.7.2.3.3 Criteria for Device and Functional Group Identification f Techniques enabling the operator to easily obtain information are implemented by the use of the following . human engineering design principles. Four types of techniques are employed: e . Alpha-numeric Labels e Graphic Symbology e Color coding {. o- Demarcation Identification using labels on the control panels help establish a hierarchy for the control panel information. Guidelines on label sizes are established to reflect the hierarchy as'well as provide readability from various locations in the controlling workspace. The criteria for letter height is provided in the Human Factors Engineering (HFE) Standards, Guidelines and Bases for System 80 + (Section 18.4, Reference 6). ,The size requirements for readability is discussed in Section 18.7.1.1.7. The labeling ,j) ,( hierarchy used within the Nuplex 80+ control room is in accordance with the HFE Standards ( .Edelines v and Bases for System 80+ (Section 18.4, Reference 6). Anmen ona4pn nonauw Nanan rueers snp*me+e rose 1s.7-s7

Design controlDocument Ssctem 80+ Display device and panel information labels conform to the Nuplex 80+ coding / conventions indicated in Section 18.7.1.1.2. Functional Group Identification In addition to a label, functional groups are identified by the use of panel demarcations. A group align stripe outlines all components within the group. The information on the label indicates the function, major component or system controlled by the group. Panel space required for name tags is reduced by providing system or functional level information only and using legends on switches whenever possible to describe the purpose of the components within the group. Control Switch Identification The following information regarding fixed location discrete switches is typically provided on the switch faceplate:

Functional Identifier (name of control).
Unambiguous Identifier (tag number).
Control options available (on, off, auto).
Current Component State (on, off, auto).
Functional Symbol (applicable to CCS Switch Configurations and CCS Process Controller Displays).

In order to display all of this information on a component switch, visual coding display techniques based on the conventions established in Section 18.7.1.1 are utilized. The following visual codes assigned to the above information types: Inferination Type Visual Codes identifiers (functional-unambiguous) Alpha-numeric / Graphic Control Options llue/ Relative Position Component State Illuminated Color / Relative Position For example, a dedicated push button switch is engraved with the identification of the component being controlled at the top, followed by a graphic symbol of the device (see symbol list, Figure 18.7.2-2) and 1 a description of the components function: Example: The CVCS system has a vent to the Waste Management System. The top of the pushbutton station is coded by the number of the valve: CH-249. The symbol is picked from the symbol list as a valve. The function of the valve is described: ' VENT TO WASTE MGT." (Figure 18.7.2-3) l The control options and component state conventions are more fully described in Section 18.7.1.6. Switches on flat panel control devices use similar conventions for identification. ; 1 Apprownst Design Material Hurnan factors Engheerktg Page 18.7-58

Sysgem 80+ Denian ControlDocwnert l l 18.7.2.3.4 Procedure for the Detailed Layout of Controls and Indications within Functional l Groups ! The basic steps involved in obtaining layouts of the control panels are to first, assign the devices [ necessary to perfonn the functions identified and listed in Part II, and secondly, to apply the criteria dimesM in this section in arranging the components within the functional groups. Before conunencing I the procedure, a list of information containing a summary of operator tasks performed, controls assigned to this group, controls / indications requiring dedicated switches or indications, special features required, i estimated space requirements and layout method utilized is completed for each function listed in Part II. The use of these lists serves as a check for the implementation of the criteria. f Procedure L

Step 1 Once the components necessary for each functional group have been assigned, the next step involves selecting an arrangement method: ,

                '1.       Flow Path,                                                                                      !

2. Sequential, or

3. Related Function An appropriate method based on the arrangement criteria in Section 18.7.2.3.1 is selected.

Step 2 The indications and controls are arranged with proper spacing as per the criteria in the HFE Standards, Guidelines and Bases for System 80+.
Step 3 l The functional group is assigned a label and a group demarcation line is established as described in Section 18.7.2.3.3 and the HFE Standards, Guidelines and Bases for System 80+.
Step 4 Individual components are identified according to the criteria in Section 18.7.2.3.3 and the HFE Standards, Guidelines and Bases for System 80+.
Step 5 The functional groupings are reviewed on an individual basis to determine if:

1

1. Special features are required as noted on the list of information for each function, e.g.,

switch guards.

2. . If special spare space requirements are listed on the information list for each function, those requirements are implemented.

4pmedseeen answw mwnas rwaws m w is.7.se i

System 80+ Design ControlDocument

Step 6 After each functional group has been configured, they are arranged on the panel per the functional layout identified in Section 18.7.2.1.6. Functional group outlines are lined up horizontally and vertically where possible. Where space allows, adjacent group outlines are squared off.

18.7.2.4 Remote Shutdown Panel Design Criteria The remote shutdown panel (RSP) is a sit-down panel with the same panel profile as the MCC. System / device layouts on the panel use the same layout / format, where possible, as those same features are laid out on the main control room panels. The criteria for demarcations, color coding, and labeling used on the main control room panels also apply to the RSP panels. For more information on the remote shutdown panel see Section 18.8.1. 18.7.3 RCS Panet Design The design of the Nuplex 80+ prototype RCS panel of the MCC is described in this section. This section dewonstrates the implementation of the standard Nuplex 80+ features and conventions (documented in Section 18.7.1) through use of the panel layout process (documented in Section 18.7.2). The application of this process to the RCS panel and the results of the effort are described in complete detail. All Nuplex 80+ MCC and ACSC panels are designed using similar methodology. Section 18.7.4 contains a summary of other MCC and ACSC panel designs. The implementation of standard Nuplex 80+ I&C features and conventions and the panel layout process described here is similar to, but not identical to the process described in Sections 18.7.1 and 18.7.2. The differences are due to refining the design features and conventions details through iteration and Nuclear Regulatory Commission comments on the design process and design changes to the RCS and other fluid systems. Additionally, availability verification and suitability verification were performed on the prototype RCS panel design. These analyses and applicable findings were incorporated into the design. Section 18.9 describes availability verification and suitability verification in more detail. The prototype RCS panel design (as described here) will be modified to incorporate the standard Nuplex 80+ features and conventions as described in Sections 18.7.1 and 18.7.2, and meet all elements of the HFPP for System 80+ (Section 18.4, Reference 4). 18.7.3.1 Assignment and Arrangement of Functions on the RCS Panel The Nuplex 80+ RCS panel was designed in accordance with the Design Criteria and Procedure for Layout of Control Room Indication and Controls described in Section 18.7.2. The first step of the RCS panel design was to identify the functions that are performed at this panel. The following steps were taken to identify the RCS panel functions:

Review the Functional Task Analysis for System 80+,
Perform a computer sort on the functional task analysis data base to identify all System 80+

gross functions and subfunctions. Approved Design Matedel . Human Factors Engineedng Pope 18.7 60

        -     -                  .   - . - . _ . .           - . .       .   .    .           . .-      . ~ - -                  . - - .     -

Sv-smr 80+ onekn canarat Document f O e Perform an evaluation of the gross functions and subfunctions to identify all gross functions and

subfunctions that would be partially or wholly accomplished from the RCS panel of the MCC.

This was based on the operational requirements for the MCC indicated in Section 18.6.5.1. l

Irwantly evaluate the following sources to determine if any other functions should be added l to the Functional Task Analysis list for the RCS.

1. System 80+ Piping and Instrument Diagrams for the RCS and support systems.

t

2. Standard Technical Specifications. }

3. Nuplex 80 Panel Design (an advanced control room). j

                   - 4.       System 80 Panel Design (a conventional control room).                                                              !
                                                                                                                                               }

5. Normal, Abnormal and Emergency Operating Procedures. ;

H

e Review by System Engineers and a Senior Reactor Operator of the composite list to identify any ;

other RCS functions appropriate to this panel. J 4

            *      . Compile the composite list of RCS related Gross Functions and Subfunctions (Table 18.7.3-1).                                i After compiling the list of gross functions and subfunctions, the functions were organized into major functional groups. These groups are.                                                                                                  ;

O

Functions related to the Reactor Coolant Pumps.

i

Functions related to the Reactor Coolant Scal / Bleed System. l 7

l

Functions related to the Reactor Coolant System. ]

1

To concisely indicate the three RCS panel functional groups, the major system or component in each functional group, Reactor Coolant Pumps, Reactor Coolant Scal / Bleed System and the Reactor Coolant 4 System la used for identification purposes. The standard method of organizing major functions on MCC panels is based on placing the most frequently used functions near the center of the MCC and the least used functions near the outside. ;

The RCS panel is located on the left side of the MCC, as identified in the control room configuration i t evaluation. The functional group that is most frequently used, the Reactor Coolant System, is placed on

           .the right side of the RCS panel, which is the side of the RCS panel closest to the center of the MCC.

- The least used function, Reactor Coolant Pumps, is placed on the left side of the RCS panel, which is furthest from the center of the MCC. The Reactor Coolant Scal / Bleed System function is placed in the l' center of the RCS panel, since its utilization lies between the aforementioned functional groups. After identification and assignment of the RCS panel functional groups, a high level functional analysis ; was performed. This was done by reviewing the list of panel functions and subfunctions listed in Table l

18.7.3-1 and assuring that they are accommodated by the selected functional groups, ' This analysis also i focused on the impact that the operating mode, a function is most frequently performed in, has on its j s panel section assignment. No problem areas were identified with the RCS functional groups during this o analysis. i

            *p v.s o non asse w. mes r.es re e,h ,*,                                                                          rene vs.7-er h

System 80+ Design ControlDocument 18.7.3.2 Determination and Assignment of Required Indication, Alann and Control Devices for the RCS Panel The indications and controls required for the RCS panel were identified and assigned to functional groups by the method described in Section 18.7.2. The following steps were taken to generate a list of indication, control and alarm devices that are needed on the RCS panel.

Reviewed the Function and Task Analysis for System 80+.
Performed a computer sort to identify the parameters and parameter characteristics needed for System 80+ general operations relating to the RCS.
Performed an evaluation of these parameters and characteristics to assign them to the appropriate functional group based on the gross function and subfunction table generated for the RCS panel.
Independently evaluated the following sources to determine if any other parameters or characteristics are required for the RCS.

1. Instrument and Controls Design Requirements.

2. System 80+ Piping and Instrument Diagrams for the RCS and support systems.

3. Standard Technical Specifications.

4. Nuplex 80 Panel Design.

5. System 80 Panel Design.

6. Normal, Abnormal and Emergency Operating Procedures.

Systems Engineers and a Senior Reactor Operator reviewed the list and identified any additional parameters and characteristics required or ones that should be deleted.
Compiled a composite list of indicators and their characteristics. This list of indicators and characteristics is contained in Section 18.7.3.2.1.
Reviewed the following sources to identify the control devices that would be used to accomplish RCS panel functions:

1. Functional Task Analysis Results (see Section hf.5.3).

2. Instrument and Controls Design Requirements.

3. System 80+ Piping and Instrument Diagrams for the RCS and support systems.

4. Nuplex 80 Panel Design.

5. System 80 Panel Design.

Approved Design Motorial Human Factors Engmeering Page 18.7-62

    - .    .    . ..        .-                . . _  _             -.        .   - . . - - -.        ~ - -            - . - . . -.

System 80+ Denica ControlDocument l l j.

Systems Engineers and a Senior Reactor Operator reviewed the controls list and modified the list i . to meet all RCS functions. ;

Compiled a composite list of control devices. This list is contained in Section 18.7.3.2.2.
Reviewed the following sources to identify the annunciators for the RCS panel:

1

1. System 80+ Functional Task Analysis. l

(

2. Instrument arxl Controls Design Requirements. )

3. System 80 Alann Response Manual. i

                  - 4.         System 80+ Piping and Instrument Diagrams.

5. Nuplex 80 Panel Design.

I , 6. System 80 Panel Design. i 1 7. Normal, Abnormal and Emergency Operating Procedures. 1 ~;

8. System Descriptions.

i 9. Component Technical Manuals.

Analyzed each annunciator individually and developed logic and setpoints to meet mode and ,

1 equipment status dependency, for the three Nuplex 80+ alarm modes, and operator aids. j

Grouped alarms (by alarm tile) using a combination of the following categories (to reduce the ,

amount of information presented to the operator and to save board space):

1. Related Component.

I

2. Related Function.

3. Related System.

Systems Engineers, a Human Factors Engineer and a Senior Reactor Operator reviewed and modified the list as necessary to meet the Nuplex 80+ alarm philosophy.

1

Compiled a composite list of annunciators. This list is contained in Section 18.7.3.2.3. !

t The above steps identify all indication, alarm and control devices required for the RCS panel. This focuses on those needed for maneuvering the plant from hot shutdown to full power operation and return [ to hot shutdown. Additionally, devices are identified to provide all RCS indication, alarms and controls ma=ry for reactor trip recovery, emergencies, maintaining plant availability and investment concerns. Although not identified in the design criteria for layout of the MCC, indications and alarms for RCS . O parameters used for Heatup, Cooldown, Cold Shutdown and Refueling are included on this panel to ! provide a single system oriented location for all RCS instrumentation. l AmrowestDeedra Assassist mansa recens anymenwie psy, ts.7-as

System 80+ Design ControlDocument The following three sections identify specifically the results of this part of the RCS panel design effort. ' Section 18.7.3.2.1 details the indication required for the RCS panel through both discrete indicators and DPS displays. Section 18.7.3.2.2 describes RCS process and component controls with individual sections for DPS VDU and DIAS alarm controls. Section 18.7.3.2.3 describes in detail the RCS panel alarms. Each of these sections assigns its RCS instrumentation to one of the three functional groups identified in Section 18.7.3.1. 18.7.3.2.1 RCS Panel Indication RCS panel indication is provided by the DIAS flat panel / indicators and DPS VDU displays. The general descriptions of these Nuplex 80+ information systems are provided in Section 18.7.1.4 and 18.7.1.3, respectively. The design integrates the information presentation of these two systems. The following two sections identify the discrete indicators and DPS display pages that exist for the RCS panel. Subsequent sections identify the specific information that exists for these devices and assigns them to functional groups. 18.7.3.2.1.1 Discrete Indication The DIAS is an important Nuplex 80+ presentation system containing frequently used process parameters that help an operator's overview of the plant condition and other parameters needed when the DPS display system is unavailable. Many individual parameters have been identified in these categories relating to the RCS. In a conventional control room, each of these parameters is assigned to an individual indicator on the panel. The operator is required to scan a panel containing over 100 indicators, in order to locate the small number of parameters he uses on a frequent basis. As discussed in Section 18.7.1.4, discrete indicators provide the operator with concise processed information related to components, systems or plant processes in a variety of display formats. The following steps were taken to determine which RCS parameters are continuously displayed, those that require access when the DPS is unavailable, and on which indicator these parameters are displayed. e Review the generated list of indicators and their characteristics. l e Review instrument and Control Design Requirements for System 80+ and the P&lDs for System 80+ to determine available sensors and range. e Consolidate the available sensors using validation and menuing techniques based on one or more of the following critena , l l

1. Frequency of use (based on the number of times a function and its associated parameters are identified in the functional task analysis). l l

2. Functional Group on the RCS panel.

3. Operational Importance by identifying parameters that have a major impact on plant process such as those that control power, inventory, pressure, level, temperature.

l l A)ywoved Design Meterial Hanen factors Engheering Page 18.7-64 l

System 80+ Design ControlDocument

 /m t,")

Identify the discrete indicators and the parameters that may be viewed on each. There are ten indicators identified for the RCS panel. The indicators are:

1. RCP1A

2. RCPIB

3. RCP2A

4. RCP2B 1

5. RCP Scal / Bleed

6. RCS

7. Tw

8. Ta

9. Pressurizer Pressure .

10. Pressurizer Level q

y With these ten indicators, the operator has continuous display of all frequently accessed plant process parameters related to the RCS panel and easy access via menu to all other RCS parameters required for operation when the DPS is unavailable. The 10 indicators provide RCS Regulatory Guide 1.97 Category 1, 2 and 3 parameters, other parameters needed for operation due to inaccessibility of local gages and parameters, plant process parameters, and indication required for surveillance. The displays for these indicators and the parameters indicated on each are described in Sections 18.7.3.2.1.3,18.7.3.2.1.4 and I8.7.3.2.1.5. 18.7.3.2.1.2 DPS VDU Displays The Nuplex 80+ VDU displays driven by the DPS contain essentially all System 80+ information that is available to the operator. The information is presented on display pages contained in a structured hierarchy (see Figure 18.7.1-5). Process related displays are primarily mimics based on the Nuplex 80+ conventions (Section 18.7.1.1). The detailed characteristics of the DPS display system are provided in Section 18.7.1.3. This section describes the RCS-related DPS display pages in keeping with presenting the RCS panel design. It is noted, however, that in the Nuplex 80+ control room any DPS display page relating to any system or function can be accessed from the RCS panel DPS VDU. The RCS-related displays are contained in the hierarchy shown in Figure 18.7.1-5 under the primary systems level 1 display page. These display pages present graphical layouts of the Primary Systems information that is consistent with the operator's system visualization. This format cannot be accomplished with discrete indicators. Figures 18.7.1-5 and 18.7.3-1 through 18.7.3-10 illustrate the display pages for the primary systems and controls associated with the RCS panel. Figure 18.7.3-1 is a level 1 overview display for monitoring the Prunary C Systems, including the Nuclear Steam Supply Systems. Figure 18.7.3-2 is the level 2 display used for control of the RCS. Figures 18.7.3-3 through 18.7.3-6 are the level 3 display pages used for RCS Anwovent Den &n neesenlet. Nwnan Factors Enphoorkrg Pege 18.7-65

System 80+ Design ControlDocument diagnostics: Pressurizer Pressure, Pressurizer Level, RCS/ Vessel and RCS Temperature. Figure 18.7.3-7 is the level 2 page used to control RCPs 1A and IB; RCPs 2A and 2B have similar pages. Figures 18.7.3-8 and 18.7.3-9 are the level 3 diagnostic pages for RCP 1A; RCPs IB,2A and 2B have similar pages. Figure 18.7.3-10 illustrates the diagnostic page for the Seal / Bleed Subsystem of the CVCS. This page is included because the Seal / Bleed portion of the CVCS is controlled from the RCS panel. The RCS information presented on these eleven display pages is defined in the following three subsections for the three RCS panel functional groups identified in Section 18.7.3.1. 18.7.3.2.1.3 RCS Functional Group Indication

DIAS Displays As outlined in Section 18.7.3.2.1.1, an evaluation was performed identifying the DIAS indicators that are provided for the RCS functional group. This includes parameters that are accessible on each, display characteristics and whether the display is continuous or accessible by use of a menu.

Based primarily on frequency of use and operational importance in identifying both prunary and secondary system changes and problems, the following parameters are selected for continuous display on the RCS panel: pressurizer pressure, pressurizer level, RCS Th and RCS T,. The discrete indicator for the RCS displays other RCS less frequently accessed parameters. The five DIAS indicators for the RCS functional group and the sensor readings that may be accessed by each indicator are listed below. Note that the validation algorithms providing the valid parameters are discussed in Section 18.7.3.2.1.6. Specific sensor ranges are provided in Table 7.5-1 for safety-related plant process display instrumentation.

1. Pressurizer Pressure (Continuously Displayed)

The left side of Figures 18.7.1-7 and 18.7.3-11 illustrates the DIAS displays for pressurizer pressure, showing the normally displayed trend format and the associated menu pages respectively. The following sensor channels and validated parameters are provided on this discrete indicator:

                   -          P-103, P-104, P 105, P-106 (Low Range, Pressurizer Pressure)
                   -          P-102A, P-102B, P-102C, P-102D (Mid Range, Pressurizer Pressure)

I

                   -          P-101 A, P-101B, P-101C, P-101D, P-100X, P-100Y (High Range, Pressurizer Pressure)
                   -          P-190A, P-190B (Wide Range /PAMI, RCS Pressure. Post-Accident Monitoring Indication (PAMI))
                   -          CALC PRESS (Calculated, Normally Validated, Post-Accident display of the average pressure in the most accurate range. Normally continuously displayed via a digital, analog and trend display.)

O Approved Design Meterial . & man factors Engmeerksg Page 18.7-66

I System 80+ oestan comrot oocumart

2. Pressurizer Level (Continuously Displayed)

The right side of Figures 18.7.1-7 and 18.7.3-11 illustrates the DIAS displays for pressurizer level, showing the normally displayed trend format and the associated menu ! page respectively. The following sensor channels and valid parameters are provided on this discrete indicator:

                -        L-110A (0-100%, PAMI)                                                                  l
                -        L-110B (0-100%, PAMI)

L-103 (0-100%)

                -        Calc Uncompensated Pzr Level (Calculated, Normally Valid, Uncompensated, PAMI display of average pressurizer level)
                -        T-101A (Pressurizer Water Temp)
                -        T-101B (Pressurizer Water Temp)
                -        Calc Pzr Water Temp (Calculated, Normally Valid, average pressurizer water

' temperature) Calc Compensated Level (Calculated, Nonnally Valid, Compensated, normally O i PAMI display of density compensated pressurizer level. Normally continuously i displayed via a digital, analog and trend display.) ; I

3. RCS T3(Continuously Displayed) ;

i The left side of Figures 18.7.3-12 and 18.7.3-13 illustrates the displays for RCS Tw, ; 4 showing the normally displayed trend format and the associated menu page respectively. The following sensor channels and valid parameters are provided on this discrete indicator: , 1 I

                 -       T-112HA, T-112HB, T-112HC, T-112HD (Narrow Range, Loop 1 Tw)
                 -       T-111HA, T-111HB (Wide Range /PAMI Loop 1 Ty
                 -       Calc Loop 1 Tw (Calcu'ated, Normally Validated, Normally PAMI display of the average loop 1 Tw in the most accurate range. Used for comparisons i                         between loop 1 and loop 2)
                 -       T-122HA, T-122HB, T-122HC, T-122HD (Narrow Range, Lwp 2 Tw)                            l i
                 --      T-121HA, T-121HB (Wide Range /PAMI loop 2 Tw)
                 -        Cale loop 2 Tw (Calculated, Normally Validated, Normally PAMI display of the average loop 2 Tw in the most accurate range. Used for comparisons              .:

O between loop 1 and loop 2) . 1 Anwevent Deekpr n0esarief

Nwaart Facters & Page 16.7 67 b l

l

System 80+ Deslan ControlDocument

                  -         Calc RCS Th (Calculated, Normally Validated, Normally PAMI display of the average temperature of loop 1 and loop 2 Tw. Normally continuously displayed via a digital, analog and trend display)

4. RCS T, (Continuously Displayed)

The right side of Figures 18.7.3-12 and 18.7.3-13 illustrates the displays for RCS Te os, the normally displayed trend format and the associsted menu page (loop 1 menu page is shown, loop 2 Temenu page is similar). The following sensor channels and valid parameteu are provided on this discrete indicator:

                  -         T-li2CA, T-112CC (Narrow Range, loop 1A Teso)
                  -         T-111CA (Wide Range /PAMI loop 1 A Teow)
                  -         Calc Leg 1 A Te (Calculated, Normally Validated, Normally PAMI display of the average loop 1 A T cad)
                  -         T-112CB, T-112CD (Narrow Range, loop 1B T,oia)
                  -         T-111CB (Wide Range /PAMI loop 1B Tcoid)
                  -         Calc Leg 1B T, (Calculated, Normally Validated, Normally PAMI display of the average loop 1B Teoid)
                  -         T-122 CA, T-122CC (Narrow Range, loop 2A T,ow)

O

                  -         T-121CA (Wide Range /PAMI loop 2A Tco u)
                  -         Calc Leg 2A T,(Calculated, Normally Validated, Normally PAMI display of the average loop 2A Teog)
                  -         T-122CB, T-122CD (Narrow Range, loop 2B T,oia)
                  -         T-121CB (Wide Range /PAMI loop 2B T,oia)
                  -         Calc Leg 2B T (Calculated, Normally Validated, Normally PAMI display of the average loop 2B T,ow)
                  -         Calc Loop 1 T,(Calculated, Normally Validated, Normally PAMI display of the average leg 1 A and leg IB T,go. Used for comparisons between loop 1 and loop 2 T,go)
                  -         Calc Loop 2 T (Calculated, Normally Validated, Normally PAMI display of the average leg 2A and leg 2B Teow. Used for comparisons betwren loop 1 and loop 2Icold) e Altroved Design Meterial Hwnen Factors Engheerkog                                              Page 18.7-68

i f System 80+ Deskn Comnd Documart i I

                         -          ' Calc RCS T, (Calculated, Normally Validated, Normally PAMI display of the                               )

average loop 1 and loop 2 Tw. Normally continuously displayed via a digital, l analog and trend display) ; NOTE: The " Loop 1" and " Loop 2" touch selections, located beneath the

                                                     " menu" label, on Figure 18.7.3-13, selects which loop data (1 or .

2) is presently being displayed. The figure illustrates the Loop :

1 case. :

5. RCS (Any one of 32 sensor or validation outputs may be displayed one at a time)

The right side of Figures 18.7.3-14 through 18.7.3-19 illustrates a typical display for the ' RCS parameter discrete indicator, showing an example of the normally displayed analog format and examples of the five available menu pages respectively. The following sensor channels are available on the RCS discrete indicator: Based on the criteria described in Section 18.7.3.2.1.1, a single discrete indicator is provided for other miscellaneous parameters measured in the RCS. Due to the large number of sensors displayed on this single indicator, these parameters are divided into , five logically associated and/or related functional groups. These five groups and the parameters indicated in each group are:

                         -           Subcooling (PAMI)
 ,O'                                  1. RCS Subcooled Margin                                                                            !

t

2. RCS Subcooled Margin ,

3. CET Subcooled Margin

4. CET Subcoolert Margin f

5. Upper Head Subcooled Margin l i

6. Upper Head Subcooled Margin i

Pressurizer

1. Pressurizer Water Temperature (T-101 A, ,

T-101B)

2. RC-200 Safety Line Temperature (T-107) :

3. RC-201 Safety Line Temperature (T-108) i j

4. RC-202 Safety Line Temperature (T-109) )

5. RC-203 Safety Line Temperature (T-106) t 2 seren asses,w mensa reesers sasheer*, pope ts.7 es

System 80+ Design controlDocument

                -          Vessel

1. Reactor Vessel Seal Pressure (P-118)

2. Pressurizer / Reactor Vessel Vent Pressure (P-159)

3. Reactor Vessel Level (RVLMS-A) (PAMI)

4. Reactor Vessel Level (RVLMS-B) (PAMI)

5. Refueling Pool Level (IAO)

                -          Primary Safety Valves (ALMS) (PAMI)

1. RC-200 Safety Valve Position (Z-107)

2. RC-201 Safety Valve Position (Z-108)

3. RC-202 Safety Valve Position (Z-109)

4. RC-203 Safety Valve Position (Z-106)

                -          Reactor Coolant Pump Differential Pressures

1. Reactor Coolant Pump I h Differential Pressure (PDI-110,111, Valid)

2. Reactor Coolant Pump IB Differential Pressure (PDI-112,113, Valid)

3. Reactor Coolant Pump 2A Differential Pressure (PDI-120,121, Valid)

4. Reactor Coolant Pump 2B Differential Pressure (PDI-122,123, Valid)

The operator has the option to select any one of these thiny two parameters for continuous display. If the plant is at power, he does not normally need continuous display of any of these parameters. Operating procedures would likely direct the operator to monitor RCS Subcooled Margin, a parameter needed for observation if a plant trip occurs. In a refueling mode of operation refueling level, a parameter that is observed closely during refueling operations would be selected.

DPS VDU Displays The RCS-related DPS display pages are identified in Section 18.7.3.2.1.2. These pages are shown in Figures 18.7.1-6,18.7.1-7 and 18.7.3-1 through 18.7.3-10. All of the above !

information displayed on the discrete indicators for the RCS functional group is also contained , in one or more of these pages. The following additional information, not provided on a discrete i indicator, is also provided on the RCS-related DPS display pages:

1. Steam Generator No. I Differential Pressure (PDI 115A,115B,115C,115D, Valid)

2. Steam Generator No. 2 Differential Pressure (PDI-125A,125B,125C,125D, Valid)

Alywoved Design nistorial thmsen factors Enphenrusg Page 18.7-70 \ l l I

System 80+ Deskn ControlDocument

3. RCP 1A and IB Spray Line Temperatures (TI-103,104)

, b' )

4. Pressurizer Surge Line Temperature (TI-105)

5. Reactor Vessel Differential Pressure (PDI-124W,124X,124Y,124Z) -

6. Pressurizer Reference Leg Temperature Sensors

7. Indication of all RCS control devices contained on the RCS panel:

                      -         Auxiliary Spray Isolation Valve (CH-205)(Position)
                      -         RCP 1 A and 1B Spray Isolation Valve (RC-100E,100F)(Position)
                      -         Pressurizer Pressure Controller (Setpoint, Selected Channel and Process Value)
                      -         Pressurizer Level Controller (Setpoint Selected Channel and Process Value)
                      -         Pressurizer Backup Heaters (On, Off, Status)                                    ,

i i

                      -         Pressurizer Proportional Heaters (On, Off, Status and Output)                    l l
                      -         Letdown Isolation Valve (CH-515) (Open, Closed Position)
                      -         Letdown Backup Isolation Valve (CH-516) (Open, Closed Position)

8. Historical and trend data on RCS functional group parameters.

18.7.3.2.1.4 Reactor Coolant Pump (RCP) Functional Group Indication The indication for the RCPs is divided into two groups: e DIAS Displays Four discrete indicators are provided, one for each RCP. Figure 18.7.3-20 illustrates discrete indicators for RCP 1A and RCP IB, with typical analog page displayed. Each indicator has twenty four parameters related to its associated RCP. Since none of these are considered to be key plant process parameters, continuous display is not required. Due to the large number of l sensors on this single indicator, the parameters are divided into four functional groups: seal, l cooling system, pump / motor and oil system. These functional groups allow better operator i access via a menu system. l The four groups and the parameters indicated in each group are defined below. The four instrument tag numbers following each parameter description are associated with RCP 1A, IB, 2A and 2B, respectively. A U

      ?_.J Design A0enerief . Numan facters Engheering                                             Page 18.7-71

System 80+ Design ControlDocument

1. Seal I

Figure 18.7.3-21 illustrates the seal menu page for RCP 1 A (other RCP seal menus are similar).

                       -         Seal #1 Outlet Pressure (P-151,161,171,181)
                       -         Seal #2 Outlet Pressure (P-152,162,172,182)
                       -         Seal #3 Outlet Pressure (P-153,163,173,183)
                       -         Seal #3 Outlet Temperature (T-118,128,138,148)

2. Cooling System Figure 18.7.3-22 illustrates the cooling system menu for RCP 1A (other RCP cooling system menus are similar).

                       -         HP Cooler Inlet Temperature (T-150,160,170,180)
                       -         HP Cooler Outlet Temperature (T-151,161,171,181)
                       -         RCP Essential Cooling Water Flow (F-471,474,475,477)

3. Pump / Motor Figure 18.7.3-23 illustrates the Pump / Motor menu page for RCP 1A (other RCP pump / motor menus are similar).

                       -         Motor Current (RCP-1 A, IB, 2A, 2B; PAMI)
                       -         Motor Lower Journal Bearing Temperature (T-116,126,136,146)
                       -         Motor Lower Thrust Bearing Temperature (T-154,164,174,184)
                       -         Motor Upper Journal Bearing Temperature (T-194,195,1%,197)
                       -         Motor Stator Temperature (T-155,165,175,185)
                       -         Motor Forward and Reverse Rotation Switch (0-109,119,129,139)

Pump Lower Journal Bearing Temperature (T-152,162,172,182) Pump Upper Journal Bearing Temperature (T-153,163,173,183) Pump Upper Thrust Bearing Temperatures (T-156,166,176,186) O Ajywowd Design Motortiet Human Factors Engneerkrg Page 18.7 72

d Sv tem 80 + ' Desigt ControlDocument

4. Oil System l Figure 18.7.3-24 illustrates the Oil System menu page for RCP 1 A (other RCP oil system '

menus are similar). - - Lube Oil Cooler Temperature (T-158,168,178,188) , 1

                    -       Pump Bearing Oil Reservoir Level (L-107,117,127,137)
                    -       Motor Lower Oil Reservoir Level (L-108,118,128,138)
                    -       Motor Upper Oil Reservoir Level (L-109,119,129,139)
                    -       Oil Lift Tank Level (L-131,141,151,161)

[ The operator may select any of these twenty four parameters for continuous display. He l would normally select a parameter that is representative of the general state of each RCP. ! This parameter would likely be seal pressure, since seal failures are the most common problem with RCPs. Monitoring a single seal pressure helps the operator detect problems with any of the three RCP seals. For diagnostic and surveillance tasks, the operator would select the parameter requiring the most frequent monitoring.

DPS Displays

- The DPS display pages related to the RCP funcdonal group were identified in Section 18.7.3.2.1.2. The RCP indication is organized into de DPS display page hierarchy with plant overview information (i.e., RCP pump status) provided on a level 1 page, control information provided on level 2 pages (i.e., RCP motor current), and detailed diagnostic information provided , on level 3 pages (i.e., motor lower journal bearing temperature). The RCP-related pages and the , corresponding figure illustrating them are: Pnmary Systems (18.7.3-1), RCS Control (18.7.3-2),

RCS/ Vessel (18.7.3-5), RCP 1 A,1B Control (18.7.3-7), RCP 1A Seal / Cooling (18.7.3-8), and ,

RCP 1A PP/ Motor / Oil (18.7.3-9). Note that corresponding pages for the other RCPs are provided for the last three pages. All of the above information displayed on RCP discrete indicators is also provided on the RCP functional group DPS display pages. The following additional information is also provided on these pages: . 1. Historical and trend data on selected RCN parameters

2. Indication of all RCP control devices contained on the RCS panel, plus motor space i heater status

3. RCP (IA, IB,2A,2B (On, Off Status)

. 4. - RCP HP Cooler Inlet and Outlet Valves (Open, Closed Status) _1A (RC 446,450) MPr*MMf Oss4m afsserdsf Munen fectors inghserihy page fg.7 73

System 80 + oesign controlDocument IB (RC-447, 451)

                -        2A       (RC-448, 452)
                -        2B       (RC-449, 453)

5. RCP (I A, IB, 2A, 2B) Oil Lift Pump (On, Off status)

6. RCP (I A, IB,2A,2B) Motor Space Heaters (On, Off status)

7. RCP (I A, IB, 2A, 2B) Controlled Bleedoff Isolation Valves (RC-430, 431. 432, 433)

(Open, Closed Status) 18.7.3.2.1.5 RCP Seal / Bleed System Functional Group Indication

DIAS Displays Based on the analysis described in Section 18.7.3.2.1.1, a single discrete indicator is provided for the RCP Seal / Bleed System. The left side of Figure 18.7.3-14 illustrates a typical analog display for this indicator. This single indicator has five parameters related to the RCP Seal / Bleed system which the operator views infrequently. The left side of Figure 18.7.3-15 illustrates the menu page for these parameters.

The five parameters are:

1. RCP-1 A Control Bleed Flow (F-156)

2. RCP-1B Control Bleed Flow (F-166)

3. RCP-2A Control Bleed Flow (F-176)

4. RCP-2B Control Bleed Flow (F-186)

5. Seal injection Heat Exchanger inlet Temperature (T-231E)

The operator has the option of selecting any t;ne of these five parameters for continuous display. If the plant is at power with the RCP seals performing normally, none of these parameters need continuous display However, if the operator is starting a RCP or a seal problem exists with a particular RCP, the operator would select Control Bleed Flow for that RCP. e DPS Displays The display pages related to the RCP Seal / Bleed functional group were identified in Section 18.7.3.2.1.2. The pages containing RCP Seal / Bleed information are identical to those identified for the RCPs in Section 18.7.3.2.1.4 with the addition of a dedicated RCP Seal / Bleed page (Figure 18.7.3-10). All of the above information displayed on RCP Seal / Bleed discrete indicators , is also provided on the RCP Seal / Bleed functional group DPS display pages. The following additional information is also provided on those pages: Alvvowed Deelyn Materiel Human Factors Engmeening Page 18.7-74 l i

System 80+ ^ Deafen ConerolDocumerrt l

1. Indication of all Seal Injection Control Devices contamed on the RCS panel:

i

                                -         RCP (I A, IB, 2A, 2B) Seal Injection Flow Control Valves (FIC-241, 242, 243, 244) (Position)

Seal Injection Temperature Indicating Controller (TIC-231) (Position)

                                -         Seal Injection Containment Isolation Valve (CH-255) (Open, Closed status)

2. Historical and Trend Data of all RCP Seal / Bleed System parameters.

l t 18.7.3.2.1.6 Sensor Validation

                    - - -                                                                                                                             l Based on System 80+ system designs, the RCS has many sensors measuring the same parameter (e.g.,
             -Pressurizer Pressure, RCS Twe tc.). A review of the Functional Task Analysis for System 80+

indicated that the operator is required to collect, detect, read, compare, copy, compute, compile, analyze, '! confirm, monitor and/or verify many types of information from multiple indicators during operational tasks. To ensure that human cognitive limits are not exceeded during these tasks, the raAnndant , information is processed by computers and presented to the operator. Presenting valid data also reduces l the stimulus overload in the control room and reduces the potential for human error. To reducenan~*=wy information loading, a generic validation algorithm is used. This algorithm takes the outputs of all sensors measuring the same parameter and generates a single output representative of i f- that parameter. A generic validation approach is used to ensure that it is well understood by operators. l This avoids an operator questioning the origin of each valid parameter. i i The generic algorithm averages all sensors in the most accurate range and deviation checks all sensors l in that range against the average. If the deviation checks are satisfactory, the average is output as a valid , signal. If any sensors do not successfully pass the deviation check against the average, the sensor with ' the greatest deviation from the average is taken out and the average is recalculated with the rammining sensors. When all sensors used to generate the average deviation check satisfactorily against the average, , this average is output as a valid signal. This valid signal is then deviation checked against the l Post-Accident Monitoring System Sensors. If this second deviation check is satisfactory, the valid signal is output as Valid PAMI (Post-Accident Monitoring Indication), indicating that this signal is suitable for : l monitoring during emergency conditions, since it is in agreement with the value as determined by the 4. PAMI sensors. As long as agreenwnt exists, this indicator may then be utilized for post-accident monitoring rather than utilizing dedicated PAMI indicator. This provides a HFE advantage of allowing ; i the operator to use the indicator he normally uses for any day-to-day work and which he is most familiar ,

with. ,

i The validation process, as described, reduces the time an operator takes to perform the tasks related to l key RCS process related parameters.' Redundant process parameters for Nuplex 80+ use the algorithm ; j- described above. To insure timely information, all validated outputs are recalculated at least once every j two seconds. Additionally, redundancy and hardware diversity is provided in the calculating devices ; insuring reliability. Figure 18.7.1-7 illustrates how validated outputs for pressurizer pressure and pressurizer level are displayed on a discrete indicator. P i eure# Das4pn assesdsr manen recsars snphosany esp. fs.7 75 I

System 80+ Design ControlDocument 18.7,3.2.2 RCS Panel Controls The RCS panel controls were identified by the method described earlier in Section 18.7.3.2 and are presented in this section. As with the indicators and alarms, the controls on the RCS panel are divided into the three RCS panel functional groups identified in Section 18.7.3.1. The controls under each functional group are described below. Figure 18.7.3-25 illustrates seven specific switch types used in the Nuplex 80+ Man-Machine Interface. These switches are based on the generic switch types identified in Section 18.7.1.6.1.1 and conform to the standard conventions developed for Nuplex 80+ (Section 18.7.1.1). These seven switch types are located on the RCS panel. Table 18.7.3-2 identifies the color and information type for each switch. RCS panel switches are identified in accordance with the control identification criteria in Section 18.7.2.3.3. Table 18.7.3-3 contains the alpha-numeric descriptors for the component identification (region 1), switch type (A, B, C, D, E, F or G) and the alpha descriptor for the function (region 3) for all of the RCS panel switches described in the following Sections: 18.7.3.2.2.1,18.7.3.2.2.2,18.7.3.2.2.3, and 18.7.3.2.2.5. 18.7.3.2.2.1 RCS Functional Group Controls The following controls were identified through the method described earlier in Section 18.7.3.2 for inclusion in the RCS functional group: e Auxiliary Spray Isolation Valve (CH 205) (Open, Close Switch and Valve Position Status)

Pressurizer Pressure Process Control The Pressurizer Pressure Process Controller provides for control of pressurizer pressure by O

selection of the following control modes. (Ret to Section 18.7.1.7 for a description of how the operator interfaces with process controller).

1. Master Loop Control. While in master loop control the operator can select either automatic or manual control of pressurizer pressure, (see Figure 18.7.3.-26). The operator can also select the desired signal used for control of pressurizer pressure, (see Figure 18.7.3-27).

2. Subloop Control. The pressurizer pressure process controller contains the following subloop control modes:

                -        Heater Output Control (see Figure 18.7.3-28)
                -        Spray Output Control (see Figure 18.7.3-29)
                -        Proportional Heater Control (see Figure 18.7.3-30)
                -        Spray Valve Control (see Figure 18.7.3-31)

Eight Pressurizer Backup Heaters (Group B1, B2, B3, B4, B5, B6, B7 and B8) (Open, Close and Automatic Switches and Operating Status)

O Apowed Design Meteriel Human Factors Engheering Page 18.7 76

System 80+ Design ControlDocument lg 18.7.3.2.2.2 RCP Fundonal Group Controls The following controls were identified during the controls identification process for inclusion in the RCP functional group:

RCP (I A, IB, 2A,2B) (On, Off Control Switch and Status)

RCP HP Cooler Inlet and Outlet Isolation Valves (Open, Close Switch and Status)

1. lA RC-446 and RC-450 ;

2, 1B RC-447 and RC-451 3, 2A RC-448 and RC-452

4. 2B RC-449 and RC-453

RCP (1 A, IB, 2A, 2B) Oil Lift Pump (On, Off Control Switch and Status)
RCP (I A,1B, 2A, 2B) Controlled Bleedoff Isolation Valve (Open, Close Switch and Status) (RC- l 430,431,432 and 433) 18.7.3.2.2.3 RCP Seal / Bleed System Functional Group Controls

k /] The following controls were identified during the controls identification process for inclusion in the RCP g

Seal / Bleed functional group:

       ' Seal Injection System Controller A single process controller is used to control the 5 control valves in the RCP Seal Injection System. This multi-purpose controller controls the following:

1. RCP 1 A Seal Injection Flow Control Valve (FIC-241)

2. RCP 1B Seal Injection Flow Control Valve (FIC-242)

3. RCP 2A Seal Injection Fiow Control Valve (FIC-243)

4. RCP 2B Seal Injection Flow Control Valve (FIC-244)

5. Seal Injection Temperature Control Valve (CH-231)

Automatic or manual control of the five valves in this group is performed by this single process controller. The Seal Injection controller uses the process controller control philosophy as described in Section 18.7.1.7. Tbc controller provides seal injection temperature control as well as flow control to each of .O the Reactor Coolant Pumps. The Controller also provides for valve positioning of the Seal Injection j 'C/ Appemned W nieterial. Numan Factors Enghseenng Page r8.7-77 i i

Design controlDocument Srtem CO + Temperature Control Valve CH-231, and Seal Injection Flow Control Valves CH-241, CH-242, CH-243, and CH-244. These valves can be placed in either Open Permissive, Close Position, and Valve Position Status. The following figures provide examples of different Seal Injection controller display formats

Temperature Output Demand -

Figure 18.7.3-32 Temperature Setpoint Control - Figure 18.7.3-33 RCP 1 A Flow Setpoint Control - Figure 18.7.3-34 RCP 1 A Flow Output Demand - Figure 18.7.3-35 18.7.3.2.2.4 DPS VDU Controls A single DPS VDU is provided at the RCS panel. As discussed in Section 18.7.1.3, it has touch sensitive controls for displays and alarms. Additionally, the VDU will have controls for brightness, contrast and power. There are no process or component related controls on the DPS VDU. It serves strictly as a monitoring system to observe and help diagnose the process. 18.7.3.2.2.5 Alarm Controls As discussed in Section 18.7.1.5, RCS panel alarm tiles have touch sensitive switches that acknowledge and reset alarms and activate display of the alarm messages. 18.7.3.2.2.6 Lamp Test A RCS panel lamp test switch is provided to test RCS panel alarm and control system lights. O Figure 18.7.3-25 illustrates this switch, and Table 18.7.3-2 describes it. 18.7.3.2.3 RCS Panel Alanns The RCS panel alarms that were compiled, as described earlier in Section 18.7.3.2, are organized and displayed on the RCS panel alarm tiles using the same three functional groups as the discrete indication and controls. Figures 18.7.3-36 and 18.7.3-37 show the functional grouping for the RCS alarm tiles. RCP alarms are in one group, RCP Seal / Bleed System alarms in another group and RCS alarms form the third functional group. The RCS panel has over 200 conditie= Nt can cause an alarm. To assure adequate alarm comprehension, many alarms are grouped into subfunctional groups (i.e., RCP Pump / Motor) in accordance with the Nuplex 80+ alarm philosophy discussed in Section 18.7.1.5. The subfunctional group alann tiles have a variety of related alarm messages that are read in the message areas at the point of acknowledgement. in cases where key process related parameters (i.e., those identified in Section 18.7.3.2.1.3) are alarmed, there is a single alarm tile alarm (i.e., RCS Pressure Low). This single alarm tile provides for rapid understanding of key process variables. O Apprend Deelgrr Material- Human factors Engheerkg Pope 18.7-78

b 1 System 80+ Desire ContmlDocumart , In addition to the alarm tile reduction, the other Nuplex 80+ alarm system features, described in Section 18.7.1.5, are also incorporated into the RCS panel. Priorities have been established for all RCS panel alarms. These are indicated for each alarm in the following subsections. q - R.CS panel alarms are mode dependent based on the modes described in Section 18.7.1.5. Mode dapaadancy is determmed on a case by case basis for each alarm with the focus being on eliminating , inappropriate or nuisance alarms. An example of the implementation of mode dependency for the RCS alarms is the low pressurizer pressure alarm. The pressurizer pressure alarm is based on the valid , pressurizer pressure indication discussed in Section 18.7.3.2.1.3. Mode dependency is accomplished for low pressurizer pressure by automatic adjustment to the alarm setpoint as the operator selects the plant alarm mode (except for post-trip). During normal operation a fixed serpoint exists. Upon reactor-trip, , a lower fixed setpoint is established automatically to prevent nuisance actuation of the alarm. The normal

l post-trip pressure response would activate the alarm if the normal operation setpoint remained. The post-i trip setpoint only allows actuation if an abnormally low post-trip pressure response exists. For the heatup/cooldown mode a manually adjusted setpoint is provided to warn the operator of an unexpected l pressure reduction transient. The alarm is disabled in the cold shutdown / refueling mode because of the

                                      ' expected near atmosphere pressure in the RCS. All RCS alarms are analyzed in a similar manner to establish mode depaadan.

1

                                      ~ RCS panel alarms also are based on equipment status dependency as discussed in Section 18.7.1.5. An                  [

example of a equipment status alarm implementation is provided by the RCP " pump AMPS High" alarm. , This alarm is bypassed for a short period of time immediately after pump start. A high motor cmperage is expected when a RCP is started. The temporary alarm bypass eliminates the nuisance alarm that would occur on a normal RCP start. Again, equipment status dependency is implemented on a case by case i O basis to eliminate inappropriate or nuisance alarms. Alamis under each functional group are described in the following sections and shown in Figures 18.7.3- l 36 and 18.7.3-37.

18.7.3.2.3.1 RCS Functional Group Alanns i- Alarms were selected for the RCS functional group by the process indicated earlier in Section 18.7.3.2.

They are grouped wit the following alarm tiles: Ten Alarm Tiles exist for the RCS:

1. "RCS Temperature High" a

Alarm messages associated with this alarm tile are:

                                                            "RCS Tw Hi", Priority 1 "RCS Ta Hi", Priority 1
                                      . 2.

Pressurizer Safety" Alarm messages associated with this tile are:

                                                            " Pressurizer Safety Open", Priority 1 J

pre e c.4,= wessrset mnen rees ,e saem rme p.e. rs.7 7s

                      ,,f-     g- g g  n       ,3-9       g  -

r - - - - -

System 80+ Design ControlDocument

      -        Pzr Safety (RC-200) to IRWST Temp Hi (from TI-107), Priority 2
      -        Pzr Safety (RC-201) to IRWST Temp Hi (from TI-108), Priority 2
      -        Pzr Safety (RC-202) to IRWST Temp Hi (from TI-109), Priority 2
       -       Pzr Safety (RC-203) to IRWST Temp Hi (from TI-106), Priority 2 3,      " Pressurizer Level High" Alarm messages associated with this tile are:
       -        " Pressurizer Level High", Priority 1
       -        " Pressurizer Level Error High", Priority 2

4. " Pressurizer Level Low" Alarm messages associated with this tile are:

       -        " Pressurizer Level Low", Priority 1
       -        " Pressurizer Level Error Low", Priority 2

5. " Pressurizer Pressure High" Alarm message is " Pressurizer Pressure High", Priority 1

6. " Pressurizer Pressure Low" Alarm message is " Pressurizer Pressure Low", Priority 1

7. " Pressure Low, Trip 2, Leave 2" Alarm message is " Press Low, Trip 2, Leave 2", Priority 1

8. "RC Vessel Vent / Seal" Alarm messages under this alarm tile Mclude:

        -       " Reactor Vessel Seal Press Hi", Priority 2 1
        -       "Pzr/ Reactor Vessel Head Vent Press Hi", Priority 2                               l

9. "RCS Validation" l Alarm messages under this alarm tile include:

                "T, Validation Fault", Priority 2 Ajuwend Design Material . Human factors Engkwerksg                                   Page 18.7-80

System 80+ Design ControlDocumart 1 - - -"hT Validation Fault", Priority 2

               -              "Pzr Level Validation Fault", Priority 2 2
                -             "Pzr Water Temp Validation Fault" Priority 2                                                        l
                -             "Pzr Pressure Validation Fault", Priority 2
                -             "RCP D/P Validation Fault", Priority 2 l

10. "RCS Loop Temperature Deviation" Alarm messages under this alarm tile include: ,

                -             "T, Cold Leg 1A/1B Temp Deviation", Priority 2                                                      .

l

                -             "T, Cold Leg 2A/2B Temp Deviation", Priority 2                                                       )

P

                -             "T, Loop 1/2 Temp Deviation", Priority 2 i

s

                -             "T hLOOP 1/2 Temp Deviation", Priority 2 18.7.3.2.3.2          RCP Functional Group Alarms l                                                                                                                                    1 I

F - Alarms were selected for the RCP functional group by the process indicated earlier in Section 18.7.3.2. The alarms are organized into functional subgroups consistent with the menus on RCP discrete indicators l (Section 18.7.3.2.1.4). They are provided in the following lists for Priority 1 and Priority 2 alarms, j respectively: Four Alarm Tiles exist for each RCP (16 alarm windows):

1. "RCP (1 A,1B, 2A and 2B) Seal" Alarm messages under this Alarm Tile include:

                 -            RCP_ Seals #2 and #3 Outlet Press Hi, Priority 1

. - RCP_ Seal #2 Outlet Press High, Priority 2 , I RCP_ Seal #3 Outlet Press High, Priority 2 RCP_ Seal #1 Outlet Press Low, Priority 2 i

                  -            RCP_ Controlled Bleedoff Flow High, Priority 1                                                       I
                  -            RCP_ Seal #3 Outlet Temp High, Priority 1 i

z :=:Deeen neeenrw men tweers ew eerme m rene 1s.7-st

System 80+ Design ControlDocument

2. "RCP (I A, IB, 2A, 2B) Cooling System" Alarm messages under this Alarm Tile include:

RCP_HP Cooler Inlet Temp High, Priority 1 RCP_HP Cooler Outlet Temp High, Priority 1

       -        RC.P_ Essential Cooling Water Flow Low, Priority 1 RCP_ Essential Cooling Water Outlet Temp High, Priority 1 RCP_ Lube Oil Cooler Temp High, Priority 1

3. "RCP (I A,1B, 2A, 2B) Pump / Motor" Alarm messages under this Alarm Tile include:

RCP_ Motor Current High, Priority 1

       -        RCP_ Motor Anti Reverse Rotation Device Temp High, Priority 1 RCP_ Motor Lower Journal Brg Temp High, Priority 1 RCP_ Motor Upper Journal Brg Temp High, Priority 1 RCP_ Motor Lower Thrust Brg Temp High, Priority 1 RCP_ Motor Stator Temp High, Priority 1 RCP_ Pump Upper Thrust Brg Temp High, Priority 1 RCP_ Pump Lower Journal Brg Temp High, Priority 1 RCP_ Pump Upper Journal Brg Temp High, Priority 1 RCP_ Vibration High, Priority 1 RCP_ Reverse Rotation, Priority 1

4. "RCP (I A, IB, 2A, 2B) Oil System" Alarm messages under this alann tile include:

RCP_PP Brg Oil Reservoir Level Low, Priority 2 RCP,,Mtr. Lower Oil Reservoir Level High, Priority 2 RCP_Mtr. Lower Oil Reservoir Level Low, Priority 2 0 l Approved Desiger Metodel- Human Factors Engmeerkg Page 18.7-82 l l

          . System 80+                                                                          Desigt ControlDocument      :

RCP_Mtr. Upper Oil Reservoir Level High, Priority 2

                      -         RCP_Mtr. Upper Oil Reservoir Level Low, Priority 2
                      -         RCP_ Oil Lift Tank Level High, Priority 2

. RCP_ Oil Lift Tank Level Low, Priority 2

                      -         RCP_ Oil Lift Pump Flow Low, Priority 2 RCP_ Oil Lift Pump Outlet Press Low, Priority 2 18.7.3.2.3.3         RCP Seal / Bleed System Functional Group Alarms The RCP Seal / Bleed functional group alarms were selected by the process defmed earlier in Section 18.7.3.2. They are provided in a grouping associated with the following alarm tiles:

1. " Seal Injection Temperature" Alarm messages under this alarm tile include:

                      -         Seal Inj. Temp Hi-Hi-Seal Isolation, Priority 1 I

Seal Inj. Temp Lo-Lo-Seal Isolation, Priority 1

,0

, - Seal Inj. Temp Hi, Priority 2

                      -         Seal Inj. Temp Lo, Priority 2

2. " Seal / Injection Flow"

                      -         RCP_ Seal Inj. Flow Hi-Hi-Cnti Fail, Priority 2
                      -         RCP_ Seal Inj. Flow Lo, Priority 2                                                           j

3. " Controlled Bleed"

                      -         Cntl Bld Press Hi-Hi-Fail /Bld Isol, Priority 1                                             i 1

Cntl Bld Press Hi-Fail /Bld Isol, Priority 2 18.7.3.2.3.4 Priority 2 Operator Established Alarm l This is an alarm tile that the operator may program from the DPS as discussed in Section 18.7.1.5.6 D. It is provided to allow the operator to program for specific RCS conditions for which he desires an i additional prompt. One dedicated operator established alarm tile is provided at each panel (e.g., as shown in Figure 18.7.3-39).

          - a                          . - -.                                                                    . . -

System 80+ Design ControlDocument 18.7.3.2.3.5 Priority 3 Reactor Coolant System Alanns As described in Section 18.7.1.5, priority 3 alarms inform the operator of conditions that warrant cautionary awareness. The priority 3 parameters that do not degrade to priority 2 or 1 conditions are processed and displayed only by the DPS. Dedicated DIAS alarm tiles are not required for these conditions, because immediate or prompt action is not needed. The priority 3 alarms for the RCS panel are:

RCP (I A, IB, 2A, 2B) Oil Lift Pump Filter Differential Pressure High
RCP (I A, IB, 2A, 2B) Seal Injection Flow High
Seal Injection Filter Differential Pressure High
Pu Safety Vivs. Loss of Position Indication Power
Spray from Cold Leg IB Temp Lo e Spray from Cold Leg 1A Temp Lo
1)zr Prop Heaters No 1 Fail
Pzr Prop Heaters No 2 Fail
Pzr Backup Heaters B1 Ch A Fail
Pzr Backup Heaters B2 Ch B Fail
Pzr Backup Heaters B3 Fail
Pzr Backup Heater B4 Fail
Pzr Backup Heaters B5 Fail
Pzr Backup Heaters B6 Fail 1
Pzr Backup Heaters B7 Fail
Pzr Backup Heaters B8 Fail
Pzt Heater 6 Distribution Panel D01 Overload
Pzr Heater 7 Distribution Panel D02 Overload
Pzr Heater 8 Distribution Panel D03 Overload
Pzr Heater 9 Distribution Panel D04 Overload
Pzr Prop IIcaters No 1 PPCU High Temp.

ApproM Design Motorial Hanan F*ctors Enghseering Page 18.7-84

l System 80+ oesten controlDocument > o Pu Prop Heaters No 2 PPCU High Temp.

e RCS Tm Sensor Deviation e RCS Tw Sensor Deviation

        .e        Pzr Level Sensor Deviation                                                                            ,

o Pu Water Temp Sensor Deviation ' e Pzr Pressure Sensor Deviation e DPS/ DIAS RCS T, Calculation Deviation e DPS/ DIAS RCS Tg Calculation Deviation e DPS/ DIAS Pressuriur Level Calculation Deviation e- DPS/ DIAS Pressurizer Pressure Calculation Deviation e- RCS D/P Sensor Deviation 18.7.3.2.3.6 Operator Aid Information for the RCP Panel Operator Aid information is only available on the DPS (see Section 18.7.1.5.6 E). The only operator aid information, that exists for the RCS, is a component discrepancy generated by the DPS success path monitoring algorithms (see Section 18.7.1.8).

18.7.3.2.4 Alartns on the DPS VDU As discussed in Section 18.7.1.5, all conditions that activate the RCS alann tiles also activate duplicate alarms on the DPS VDU. The alarms for the RCS panel are presented using the following three techniques

e Hierarchical Mimic Pages present priority 1, 2, 3 and operator aid alarms. e A Time Sequential Listing presents priority 1,2,3, operator aid and operator established alarms. e A Prioritized Alarm List presents the following categories:

                 - 1.       Priority 1 Alarms

2. Priority 2 Alarms

3. Priority 3 Alanns 4 .- Operator Established Alarms N. The following five alarm messages in the RCS are illustrated on Figure 18.7.3-38 to demonstrate how they would be displayed on the time sequential alarm list.

Anemd oeep anneuw. mean recows : . =; roue ss.74s

System 80+ Design Contrc! Document

RCS Tw Ili (Priority 1)
RCS Tm Hi (Priority 1)
Pu Level Error Low (Priority 2)
Pzr Safety (RC-200) to RDT Temp Hi (from TI-106) (Priority 2)
Pzr Level Sensor Deviation (Priority 3) 18.7.3.3 Detailed Layout of RCS Panel To assist in designing the RCS panel layout, a full scale mockup of the RCS panel is used to establish the detailed layout of the RCS panel. Using this mockup the criteria for layout of control room indication and controls provided in Section 18.7.2.3 are applied. As discussed in Section 18.7.3.2, the indication, controls and alarms for the RCS panel are assigned to the three functional groups (RCS, RCP and RCP Scal / Bleed). Each group is assigned to a general area on the RCS panel.

To facilitate the panel layout, full size representations of all indication, control and alarm hardware devices for the RCS panel are made. The final layout of the RCS panel is impacted by the size and type of hardware selected. The major hardware device that impacts the layout of the RCS panel is the discrete indicator. The equipment selected for this indicator has a display screen measuring 3.9 inches by 7.7 inches. Using the criteria specified in Section 18.7.1.1.7 for labels and information size, sample displays are drawn. An area measuring 3.75 inches by 3.75 inches meets the criteria for all DIAS displays on the RCS panel. Thus, the hardware selected for DIAS displays is split into two screens with each screen displaying the parameters for a single discrete indicator. An obvious demarcation line is displayed to visually separate the two displays. The discrete indicator for pressurizer pressure and pressurizer level in Figure 18.7.1-7 illustrates how these two process parameters are displayed on a single display device. The RCS panel DPS VDU is placed in the center of the panel, as with all panels, to facilitate viewing it adequately from in front of all sections of the panels. After placing the three functional groups and DPS VDU, the resulting RCS panel design is shown in Figure 18.7.3-39. The following sections address the detailed layout of each functional group. 18.7.3.3.1 RCS Functional Group Layout As discussed in Section 18.7.3.1, the RCS functional group is the most frequently used on the RCS panel. It is, therefore, placed on the right hand side of the RCS panel (RCS panel section closest to the center of the MCC). All controls and some indication are located on the apron (ne.tr horizontal) section of the RCS panel for this functional group. The discrete indicators for the RCS functional group are placed on the vertical section of the RCS panel. There is one discrete indicator for the RCS functional group that is located to the left of the DPS VDU. The discrete indicator fe Mrequently viewed RCS parameters is located to the left of the DPS VDU and not above the RCS functional group based on the following factors:

The discrete indicators for RCS and RCP Scal / Bleed System are displayed on a common device.

With one device providing indication for two functional groups, it made it difficult to place it within both functional groups simultaneously unless the groups are adjacent. O Approved Design Material Human factors Engkwering Page 18.7-86

I System 80+ Deskn ControlDocument I i

Placing the DPS VDU (primary source of information) near the center of the RCS panel is the highest layout priority. This location divided the RCS and RCP Seal / Bleed groups and thus necessitated placing the common indicator at a different location.
Since these parameters are infrequently viewed on this indicator, the discrete indicator location ,

poses little inconvenience. All of its parameters would normally be viewed on the DPS. Figure 18.7.3-39 shows the two RCS panel areas where RCS functional group indication and controls i 2 are located. A "RCS" label is located at the top of this panel section. i d

Identification of Functional and Subfunctional Groups l l

For the RCS, the pressurizer indication and controls make up the majority of indications and 1 controls. Therefore, the pressurizer is identified as a functional group within the RCS functional group. This group is identified on the panel by the following methods in accordance with the criteria of Section 18.7.2.3.3.

1. Group Align Stripe - A thick line forms an enclosed area around the indicator and I controls for the pressurizer group.

2. A label titled " PRESSURIZER" is placed above the group align stripe on the vertical section of the RCS panel.

3. Labels are placed above the following subfunctional groups within the pressurizer O functional group in accordance with the identification criteria in Section 18.7.2.3.

                    -        Pressurizer Pressure Indicator - Label titled " PRESS" (In purple, because it is a PAMI indicator)
                    -        Pressurizer Level Indicator - Label titled " LEVEL" (In purple, because it is a PAMI indicator)

Pressurizer Pressure Controller - Label titled " PRESS CNTL"

                    -        Pressurizer Auxiliary Spray Valve Switch (CH-205) - Label titled " SPRAYS"
                    -        Pressurizer Backup Heater Controls (Grp B1-B8) - Label titled " BACKUP HEATERS" (Groups B1 and B2 have a purple bezel, because the switch status for these switches is a PAMI indication)                                                 :

l

4. Labels are placed above the discrete indicators for the following groups of RCS indication (In purple, because they are PAMI indicators)-

RCS Tw Indicator - Label titled "Tw" RCS Ta Indicator - Label titled "Ta"

                    -        Other infrequently viewed RCS parameter indicator - Label titled "RCS" a-.--                                                                                    - .     ,

Sy3 tem 80+ Design ControlDocument Layout of RCS Functional Group

The layout of the RCS functional group indication and controls was implemented using the related function technique identified in Section 18.7.2.3.1. The related function technique is used, because neither a flow path nor sequential layout technique is applicable to the RCS functional group.

The controls and indication for the pressurizer, (pressurizer pressure indicator, pressurizer level indicator, pressurizer sprays, and backup heaters) are also arranged by related function in the PRESSURIZER fimetional group. The subfunction controls for the pressurizer are also arranged based on related function. The Backup and Proportional Heater subfunction groups, which serve the same function (to increase pressure), are located at the bottom of this group. See Figure 18.7.3-39 for location and arrangement of this group. Similarly, the Pressurizer Auxiliary Spray valve is used as a means of reducing pressure and is placed above the heater controls. The Pressurizer Pressure Controller which controls heaters and sprays is placed above and adjacent to the discrete indicators for pressurizer pressure and pressurizer level which is placed above the Pressurizer Pressure controller (see Figure 18.7.3-39). The Tw and Tm discrete indicators are placed above the pressurizer functional group to allow viewing the four RCS process parameters (pressurizer pressure, pressurizer level, Tw and Ta) at one panel location (Related function). The RCS discrete indicator for other RCS parameters is located to the left of the DPS VDU, as previously discussed. 18.7.3.3.2 RCP Functional Group Layout There are four Reactor Coolant Pumps (RCP) for System 80+. Each RCP is operated independently of O the other RCPs and has separate indication and controls. The controls and indications for the RCPs are divided into four functional groups corresponding to the individual RCP. These four functional groups are arranged from left to right on the RCS panel as follows: RCPIA, RCPIB, RCP2A and RCP2B. This is shown on Figure 18.7.3-39.

Identification of RCP Functional Groups The four functional groups of the RCPs, RCPI A, RCPIB, RCP2A and RCP2B are identified by methods specified in Section 18.7.2.3.3. The two methods selected are:

1. Group Align Stripe - A thick line forms an enclosed area around the indicator and controls for each of the four RCPs, I A, IB,2A, and 2B (see Figure 18.7.3-39).

2. Labels titled RCP 1 A, RCP IB, RCP 2A and RCP 2B are placed above the top group align stripe for each of the four functional groups.

e Layout of the Four RCP Functional Groups The layout of each of the functional groups is implemented using a combination of the following techniques identified in Section 18.7.2.3:

1. System ilow path l

2. Sequential Aptwoved Design Meterial Human factors Enguseering Page 18.7-88

p i i t Sysbem 80+ Desian CanarolDocument t

3. Related Function The indication is placed in the vertical panel section directly above the controls for the respective RCP to prevent obscuring indication while controls are manipulated. All controls are placed on the apron section of the RCS panel. The controls for the RCPs are placed in functional groups, ;

because they provide all controls wa**7 to operate (related function) each RCP, independent ; of the controls for the other three RCPs. The general arrangement of each group is sequential. ! The HP cooler inlet and outlet isolation valves are required to be opened before the pump may , operate and are placed at the top of the group. The oil lift pump is the next component followed l by controls for the RCP. At the bottom of the functional group is the controlled bleedoff , isolation valve switch, a component that is normally .open but may be closed during an i emergency. After sequential layout of the functional controls vertically, they are centered horizontally within the functional area. The only exception is the HP cooler inlet and outlet valve controls, which are arranged with the inlet valve on the left and the outlet valve on the right, to , follow the convention for flow direction in Nuplex 80+. Final adjustments are made to insure that the horizontal and vertical spacing between indications and controls meets all spacing criteria , I identified in Section 18.7.2.3.2. 18.7.3.3.3 RCP Seal / Bleed Systeun Functional Group Layout This functional group of indication and controls is placed near the center of the RCS panel. Most indication and all controls for this group are located in the apron section of the panel. The discrete indicator for the RCP Scal / Bleed System is located on the vertical section of the panel above and to the left of the controls. This location is to the left of the DPS VDU. Placing the discrete indicator for the j

    \   RCP Scal / Bleed System away from the controls was determined to be satisfactory in light of the following considerations:

e The DPS VDU is the prunary source of information for the RCS panel and is placed near the center of the panel. This is the highest priority layout concern. e The parameters displayed on the RCP Seal / Bleed System discrete indicator are infrequently f accessed. Figure 18.7.3-39 shows the two RCS panel areas where RCP Seal / Bleed System indication and controls are located. Separate labels identify the functional group of indication and controls on the apron section i and the indicator on the vertical section. Identification of Functional Group i The controls for the RCP Scal / Bleed System are identified on the RCS panel by methods specified in Section 18.7.2.3.3. The following methods are used:

1. Group Align Stripe - A thick line forms an enclosed area around the indicating controller.

2. A label titled "RCP SEAL / BLEED" is placed above the top group align stripe on the controls section, which is located on the apron section of the RCS panel.

3. A label titled "RCP SEAL / BLEED" is placed above the discrete indicator for the RCP Seal / Bleed System.

Ammmwo Wen asess,w mm auseeers snenseeress esce vs.7.as

System 80+ Design ControlDocument ,

4. A lam titled INJ FLOW CNTL" is placed above the Seal Injection Flow Controller.

5. A label titled "INJ TEMP CNTL" is placed above the Seal Injection Temperature Controller.

18.7.3.4 Alarm Layout The alarm tiles for the RCS panel are contained on two flat panel display modules. The module used for the 16 Seal Bleed System alarms is located above the RCP and seal bleed system functional groups to the left of the DPS VDU. Figure 18.7.3-39 illustrates its location, and Figure 18.7.3-37 illustrates the detailed layout of the alarm tiles. This location places the alarms at the highest level within the RCP/ Seal Bleed functional groups to enhance its attention getting function. The module used for the RCS and Operator Established, Alarms tiles which is located above the Pressurizer functional group to the right of the DPS VDU. Figure 18.7.3-39 illustrates its location, and Figure 18.7.3-36 illustrates the detailed layout of the alarm tiles.

Identification of Functional Alarm Groups The RCP functional alarm group is identified by a label titled "RCP", placed above the RCP/ Seal Bleed System Alarm Module. The Seal Injection System functional alarm group is identified by a label titled " Seal / Bleed", placed above the RCP Seal / Bleed Alarm Module. The RCS functional alarm group is identified by a label titled "RCS", placed above the RCS alarm module.
Layout of Alarms Within Each Functional Group The alarms for the RCS are located on the right alarm module and arranged as shown on Figure 18.7.3-36. For cases where high and low alarm tiles exist for the same process (i.e., Pressurizer Pressure Hi and Pressurizer Pressure Lo), the high alarm tile is placed above the low alarm tile.

The alarms for the RCP are located on the left alarm module and arranged as shown on Figure 18.7.3-37. They are placed within functional groups identical to the RCP indication and controls. There are four columns of RCP alarms, RCPI A, RCPIB, RCP2A and RCP2B. These colunms of alarms are located left to right, as are the indication and controls. To help identify problems common to more than one RCP, similar alarms (i.e., cooling system) for the four RCPs are located in the same row. There are three alarm tiles for the RCP Seal Injection System. These are shown in Figure 18.7.3-37. 18.7.3.5 DPS VDU Layout l The VDU is located near the center and close to the bottom of the vertical panel section, as specified in Section 18.7.2.3.1 (Figure 18.7.3-39 illustrates its location). 18.7.3.6 Miscellaneous Controls Layout A lamp test switch is located in the upper center area of the apron section of the RCS panel. (Figure 18.7.3-39 illustrates its location). The Operator Aid Alarm tile is provided on the vertical section of the RCS panel. O Anwoved Design Materiel- ikman Factors Ermeeerkrg (2/9 5' Page 18.7-90

SvTtem 80+ Design ControlDocwnent

.                       18.7.4 Other Nuplex 80+ Panel Designs This section provides the functional design of all Nuplex 80+ control room panels except the RCS panel (described in Section 18.7.3). The panel designs described in this section are based on application of the          .

same standard information presentation and control techniques described in Sections 18.7.1 and 18.7.2. Each of the following sections exemplifies the functional groups provided on a panel and a panel layout _ based on the functional grouping. In addition, unique panel features differing from the standard panel l features are identified. The method ofintegrating these features into the panel design is presented. This ; includes items such as operator modules. The individual panel descriptions also identify all indications : and controls used for post accident monitoring and controls. Panel designs and their subsequent 7 modifications meet the HFPP (Section 18.4, Reference 4). The following sections contain the additional Nuplex 80+ panel descriptions starting with MCC panels, safety console panels, auxiliary console panels ; and finally the CRS console. See Figure 18.6.5-1 for the location of the following panels in the control room. L18.7.4.1 ' Chemical and Volume Control System Panel ; d The Chemical and Volume Control System (CVCS) panel has those components and controls that the : operator requires to monitor and control primary letdown and charging, makeup water and effluent : processing systems required during plant startup, shutdown and normal operations. The controls and indications are provided consistent with the Nuplex 80+ standard techniques and conventions, as , exemplified by the RCS panel. The CVCS system contains no instrument channels which are required - for post-accident monitoring; additionally the system itself is not required for plant safety. The controls and indications on the CVCS panel are broken down into functional groups (exemplified on l Figure 18.7.4-1):

Letdown / Charging

! This group contains the indication and controls associated with the charging (e.g., charging pumps, suction valves) letdown (e.g., letdown flow control, stop valves) portions of the CVCS,

and the pressurizer level controller controls.

l 2

Makeup This group contains the indication and controls associated with the makeup function of the CVCS (e.g., makeup pumps, water sources).

Effluent Controls This group contains the indication and controls for processing the primary fluid removed from the RCS.

Included in the controls mounted on the CVCS panel are process controllers for pressurizer level, letdown / charging, and makeup water. These controllers are designed in a consistent manner as the other

                     ' process controllers which have been covered in RCS panel details (Section 18.7.3.2.2). The Discrete Indicator and Alarm System (DIAS) provides temperature, pressure, level, radiation and flow parameters               j via discrete indicators. Alarms associated with the systems are grouped and displayed by the alarm tiles and message windows. The Data Processing System (DPS), via the panel mounted VDU, provides general monitoring, system / component level monitoring and detail / diagnostic informatie on the letdown / charging, makeup water and effluent processing systems. The display page formate and Amrewed Design aseserM . Nnnen facters E$eehg                                                      Page 18.7 91

Design ControlDocument System 80+ information handling is consistent with the Nuplex 80+ DPS display page methodology (Section 18.7.1.3), as demonstrated on the RCS panel displays (Section 18.7.3.2.1). Manual controls which are required for operations of the CVCS are located and functionally grouped on this panel. Control identification, symbology and hue, along with functional grouping of control and indications, group demarcation and labeling are in accordance with the Nuplex 80+ panel layout criteria (Section 18.7.2) and exemplified by the RCS panel description. 18.7.4.2 Plant Monitoring and Control Panel The Plant Monitoring and Control Panel contains those systems the operator requires for control and monitoring of core reactivity associated with maneuvering the plant from hot shutdown to full power operation and return to hot shutdown, and additional plant level controls that require a convenient centralized location due to the frequency of their access. A functionallayout of the Plant Monitoring and Control Panel is exemplified in Figure 18.7.4-2. The controls and indications are provided consistent with Nuplex 80+ standard techniques and conventions, as exemplified by the RCS panel, with the following exceptions: Two Engineered Safety Features Actuation System (ESFAS) modules are provided on the Plant Monitoring and Control Panel. These modules provide pushbutton switches for manual actuation of Containment Isolation, Containment Spray, Main Steam Isolation and Safety Injection Actuation. The modules also provide maintained position switches for Emergency Feedwater 1 and 2 actuation. One of these modules is channelized A and the other is channelized D; B and C modules are provided on the Safety Monitoring panel of the Safcry Console (see Section 18.7.4.5). Each module is wired to its respective channel of the Plant Protection System (PPS). A and D channelized pushbutton switches are located on the panel for manual initiation of reactor trip and irnerface with their respective Reactor Trip Switchgear (RTSG) breakers. Pushbutton switches for channels B and C manual initiation are located on the Safety Monitoring Panel. In addition, a pair of channelized (X, Y) pushbutton switches are provided for manual initiation of reactor trip via the Alternate Protection System (APS) which trips the Control Element Drive Mechanism (CEDM) motor generator sets. Manual initiation of the emergency feedwater system via the APS is not provided, since initiation may be accomplished manually at the component level at the SC panels. For both the manual initiation of the reactor trip, either normal or APS, and ESPAS actuations it takes operator actuation of two channels of the desired system to initiate the system actuation. An alarm mode selector pushbutton matrix has been provided which interfaces with the Discrete Indication and Alarm System (DIAS) and the Data Processing System which the operator uses to input the present plant operating mode for the mode dependent alarm logics and setpoints, and for critical function and success path monitoring algorithms. The operator-selected operating modes are:

Normal Operation e lleatup/Cooldown
Cold Shutdown / Refueling
Post-Trip Approved Design Material . Human factors Engheerkg Page 18.7-92

Sv? tem 80+ Denlan coneer Document The fourth mode, post-trip, is automatically initiated upon the reactor trip breakers opening, and only indication is provided for this automatic mode selection. Also associated with the DIAS and DPS alarms and located on the Plant Monitoring and Control panel are the Stop Flash and Resume Flash pushbuttons. These controls are used by the operator during times of multiple alarms to help him more rapidly identify the highest priority alarms, and reduce the distraction of less importam alarms until he is ready to address them (refer to Section 18.7.1.5.6 C). Controls for ex-core nuclear instrumentation are provided. These include audio channel select, volume controls and startup high voltage removal. Reactor power is displayed on a discrete indicator which uses the same DIAS conventions discussed in Section 18.7.1.4. This display also provides CEA motion (as dam =W by the RRS) and Tdr,.r indications utilizing signals from the Reactor Regulating System (RRS) ponion of the Power Control System (PCS). A PCS Operators Module is provided primarily for the control of system operating / selection modes as well as the display of system specific data from the Control Element Assembly Motion Control, Reactor Regulation, and Reactor Power Cutback functions of the PCS. l A CEA Position Display Operators Module is provided to present a CEA position overview including indication of associated limits and permissives. The position information is based on accumulation of CEDM motion information obtamed from the Motion Sequencing Logic. A Megawatt Demand Setter (MDS) operator's module (See Figure 18.7.4-2) provides the operator with the means to automatically coordinate turbine generator control with specific plant parameters to prevent Q exceeding NSSS limits affected by local transients. To accomplish this task, display of plant parameters, variable setpoints, maximum allowable rate change, NSSS limits and operating mode selections are provided. In addition, the capability exists to enter selected setpoints and choose the mode of operation. Two DPS VDUs are mounted on the panel (see Figure 18.7.4-2). The first provides the normal DPS display hierarchy interface (i.e., Integrated Plant Status Overview, Primary Monitoring or other operator selected displays). The second VDU is dedicated to core monitoring functions such as the Core Operating Limit Supervisory System (COLSS), CEA position and associated displays based on operator selection. A process controller for the Steam Bypass Control System is located on the panel. It is designed in a consistent manner as other process controllers which have been covered in RCS panel description (Section 18.7.3.2.2). Control identification, symbology and hue, along with functional grouping of control and indication, group demarcation and labeling are in accordance with Nuplex 80+ pane! layout criteria (Section 18.7.2) and exemplified by the RCS panel description. Additional desk space is provided on this panel to accommodate laydown space for procedures or other operator paperwork. Space provision is also made on this panel section for a handset for operator l communications with other plant operations personnel. 18.7.4.3 Feedwater and Candona=** Panel The Feedwater and Condensate Panel has those indications and controls the operator requires to monitor and control the feedwater and condensate systems during normal power operations. The controls and indications are provided consistent with Nuplex 80 + standard techniques and conventions, as exemplified L : cosen anneww.mmar recaws sno ewome rose ts.7.s3

Syctem 80+ Design ControlDocument by the RCS panel. The Feedwater and Condensate panel includes the discrete indicator displays for steam generators (SG) 1 and 2 which contain instrument channels that may be utilized for post-accident monitoring. The display of these instrument channels on this panel is provided for operator convenience, following the Nuplex 80+ philosophy that normally used instmments are also used during accident conditions. Non-safety and PAMI displays for SG 1 and 2 are also provided on the Secondary Cycle panel of the Auxiliary Console. The controls and indications provided on this panel are broken down into functional group arrangements (exemplified on Figure 18.7.4-3). l e Steam Generator 1 1 } This group contains indications and controls associated with steam generator level and pressure, and feedwater system flow. , l e Steam Generator 2 l This group contains indications and controls associated with steam generator level and pressure, and feedwater system flow.

Feedwater and Condensate This group contains those indications and controls associated with the feedwater and condensate system including main feedwater pumps, startup feedwater pumps, condensate pumps and booster pumps.
Feedwater/ Condensate Train This group contains those indications and controls associated with the condensate system, including hot well level control, condensate cleanup and storage.

Included in the controls mounted on the panel are feedwater process controllers and switches for each steam generator. This includes pumps, downcomer control valves, and economizer control valves. These are shown on Figure 18.7.4-3. These controls are designed in a consistent manner as other process controllers which have been covered in RCS panel description (Section 18.7.3.2.2). The Discrete Indication and Alarm System (DIAS) provides steam generator level and pressure, and condensate system parameters, along with the alarms associated with the systems. The Data Processing System (DPS), through the panel mounted VDU, provides general monitoring, system / component level and detail / diagnostic information on the feedwater and condensate systems in the manner consistent with the RCS panel displays (Section 18.7.3.2.1). Manual controls which are required for starting, stopping and controlling the main feed pumps, booster pumps, condensate pumps, and other components required to be operated during system startup (e.g., emergency feedwater pumps), normal operations and shutdown are located on this panel. Control identification, symbology and hue, along with functional grouping of control and indication, group demarcation and labeling are in accordance with Nuplex 80+ panel layout criteria (Section 18.7.2) and exemplified by the RCS panel section (Section 18.7.3). 1 AMvoved Design Materia!

Human Factors Engineuring Pope 18.7 94

    - .         - - -           -   -        - . . - - - - - .          _ . - . - . . -         . . - ~          - - . . -    ..

System 80+ Design ConeelDocwomst O The Feedwater and Cah=te System controls, which require infrequent operation (e.g., condensate pump, booster pump and main feed pump suction and discharge valves) for system startup and shutdown, are located on the Wary Cycle panel of the Auxiliary Console. 18.7.4.4 Turbine Control Panel i The Turbine Control Panel has those systems required for control and nonitoring of the turbine system l during normal operations. The controls and indications are provided consistent with Nuplex 80+ standard techniques and conventions as exemplified by the RCS panel. The Turbine Control panel ! contains no instrument channels which are required for post-accident monitoring. Additionally, the 3 system itself is not required for plant safety. The Turbine Control panel is divided into a primary j functional group relating to the turbine, and two smaller fmx:tional groups relating to turbine suppon components and the generator. A functional layout of the Turbine Control panel is exemplified in Figure 18.7.4-4. Included in the Turbine Control functional group is the turbine EHC module which is provided by the turbine vendor. This panel insen contains those controls and indications required for normal turbine operations. Turbine test functions are provided on a turbine test panel insen which is located on the Auxiliary Console Secondary Cycle panel, i Space has been allocated on the panel for inclusion of some controls for turbine support systems (see Figure 18.7.4-4). Selections of those controls is derived based on the turbine vendor's EHC panel and i the operator's needs for normal operations. Other turbine suppon system controls are locatxi en the l secondary cycle panel of the AC. 4. The Discrete Indication and Alarm System (DIAS) provides for monnoring generator and turbine parameters along with providing alarm functions for both. The Data Processing System (DPS), via the panel mounted VDU, provides for general monitoring, system / component level monitoring and detailed / diagnostic information on the turbine and generator systems, in a manner consistent with RCS panel displays (Section 18.7.3.2.1). Controls which aie mounted on this panel have control identification, symbology and hue, along with functional grouping of control and indication, group demarcation and labeling that are in accordance with ; t Nuplex 80+ pane! layout criteria (Section 18.7.2) and exemplified by the RCS panel description (Section 18.7.3). I Controls and indications for turbine suppon systems and the generator which require infrequent operation (e.g., turbine oil pumps, oil lift pumps), are located on the AC Secondary Cycle panel. 18.7.4.5 Safety Monitodng Panel The Safety Monitoring Panel is used by the operator to primarily monitor the Reactor Protective System (RPS) and Engineend Safety Features Actuation System (ESFAS). It provides continuous display of the availability of ESF systems and continuous display of Regulatory G a 1.97 Category 1 variables. In _ addition, the Safety Monitoring Panel contains backup controls for Process-CCS and the ESF- l Component Control System, and Diverse Manual ESF Actuation Switche.. O The Safety Monitoring Panel controls and indication have been separated by chanael and function. The V Safety Moaitoring Panel controls and indication consist of the following: ; Amsment Desen Assesnist. Munen Focesrs angissenhy Aspe 73.7 35 _ _ _ _ .a

System 80+ Design ControlDocument

 -        Channel A, B, C, D Plant Protection System (PPS) operators modules,
 -        Channel A, B, C, D Core Protection Calculator (CPC) operators modules,
 -        Channel A, B, C, D ESF-CCS operators modules,
 -        Two Discrete Indication and Alarm System, (DIAS-P) discrete indicators,
 -        Channel X, Y Process-CCS Operators Modules,
 -        B and C Channelized Pushbutton Switches for manual initiation of reactor trip and ESF actuation signals,                                                                                           ,
 -        Diverse Manual ESF Actuation Switches,
 -        A Radiation monitoring indicator,
 -        A ESF status monitoring module,
 -        Alarm Tiles,
 -        DPS VDU.

A functional layout of the Safety Monitoring Panel is exemplified on Figure 18.7.4-5. The PPS operators modules provides pre-trip, trip and bypass indication of the Reactor Protection System (RPS) and Engineered Safety Features Actuation System (ESPAS). Bypass error indication and a bistable reset indicator are also provided. The PPS operators module also provides indication of linear power and variable setpoint resets for pressurizer pressure and steam generator pressure. The CPCS operators module provides CPCS Trip Logic Calculator (TLC) and CEAC parameter indication, function enable, TLC trip bypass, and TLC and CEAC status indicator lights. The ESF-CCS operators modules provides access to all ESF-CCS controls and indication. These features are used in the event of fa"~ e of any discrete controls or process controllers located on other control room panels. ESF selective group testing is performed at the A, B, C, and D operators module (see Section 7.3 for details). Each module also provides system status for equipment failure. The DIAS-P discrete indicators provide continuous display of all Regulatory Guide 1.97 Category I signals. These displays are redundant to DIAS-N and DPS displays located at other panels. These DIAS indicators are designed in accordance with the standard Nuplex 80+ discrete indicators described in Section 18.7.1.4. , The Process-CCS operators modules provide access to all Process-CCS controls and ec' cation. These features are used in the event of failure of any discrete controls or process controllers wcated on other control room panels. (See Section 7.7 for details). B and C channelized pushbutton switches are located on the panel for manual initiation of reactor trip and interfacc with their respective ESF actuation signals. Pushbutton switches A and D are located on the Plant Monitoring and Control Panel of the Master Control Console. Approved Deslyn Atatorief- Human factors Engineering Page 18.7-96

l L System 80+ Deeinn caneret oocannant t I

( . A single safety grade channel is provided as a backup (via Diverse Manual ESF Actuation Switches) to j

- ESF actuation via the ESF-CCS and PPS. These switches provide for system level actuation of two trains of safety injection, and one train each of containment sprsy, feedwater, closure of main steam isolation j' valves, closure of containment air purge valves, and closure of a letdown isolation valve (See Section 7.3). i A radiation monitoring module is located on the panel. It is part of the radiation monitoring system and is used to monitor the radiation levels in and out of the plant. i An ESF status monitoring module is located on the panel. This module displays high level indication of i abnormalities in ESF performance and ESF availability. This function is described in Section 18.7..I.8 j and the module is shown in Figure 18.7.1-12. , I The alarm tiles display alarms associated with the performance of the PPS, CPC, and CCS. In addition, the alarm tiles display the Critical Function alarms, the radiation monitoring ahmis, and the ESF l performance and inoperability alarms. i The DPS VDU provides direct access to the DPS. l Control identification, symbology and color, along with functional grouping of control and indication, group demarc ation and labeling, are in accordance with Nuplex 80+ panel layout criteria (Section 18.7.2) and exemplified by the RCS panel description. ! 18.7.4.6 Engineered Safety Featurus Panel The Engineered Safety Features (ESP) Panel contains those controls and indications that are required for the control and monitoring of the following safety related systems: e Shutdown Cooling e Emergency Feedwe.ter/ Atmospheric Dump e Safety Depressurization e Safety Injection Tanks e Safety Injection e Containment Spray e Cavity Flood In addition, indications are continuously available to allow the operator to assess the status of Containment Isolation and Steam /Feedwater Isolation to each steam generator. The controls and indications provided are consistent with Nuplex 80+ standard techniques and conventions, as exemplificc' by the RCS panel. The systems whose component controls are mounted on this panel, are safety-relatM systems. . Discrete Indication displays are provided with each of the functional groups to monitor the h system / equipment performance associated with the group. The safety systems on the ESF panel support Plant Safety Function (e.g., Emergency Feedwater supports RCS heat removal via the steam generators). Pege 16.7-97 Annmed Onekn heard knen fueers Enghmerhw

System 80+ Design controlDocument The effect that a safety system has on a plant safety function is monitored on this panel's DPS VDU, IPSO or the Safety Monitoring Panel, which is directly to the left of the ESF Panel The controls and indications on the ESF panel are broken down into functional groups as follows (see Figure 18.7.4-6):

Shutdown Cooling Each of 2 shutdown cooling trains is layed-out on the panel using a system flow path mimic arrangement. A discrete indicator is provided for monitoring shutdown cooling process parameters.
Emergency Feedwater/ Atmospheric Dump Each of 2 emergency feedwater trains and atmospheric dump valves is layed-out on the panel using a system flow path mimic arrangement. A discrete indicator is provided for monitoring emergency feedwater process and steam generator parameters. Two process controllers are

, provided for control functions associated with steam supply to the steam-driven pumps and feedwater flow control. Switches provide control of the atmospheric dump valves.

Safety Injection / Safety Injection Tanks Each safety injection train and safety injection tank is arranged on the panel using a system flow path mimic layout. Discrete Indication is provided for monitoring the parameters associated with these systems.
Containment Spray Each of the containment spray trains and associated component controls are layed-out on the panel using a system flow path mimic arrangement. Discrete indication is provided for containment spray related parameters.
Safety Depressurization l

Safety depressurization component controls are provided for Pressurizer and Reactor Vessel j depressurization in a single location. 1

Containment Isolation Containment isolation valves functional group control and indication, providing continuous display of containment isolation status and performance, exist at one location on the ESF panel. j The controls for these valver are also distributed throughout the control panels in their j 1

appropriate flowpaths. The ESF panel provides a second source of valve indication and close only control.

Cavity Flood Cavity flood component controls are provided for to accommodate cavity flood during a severe accident.

Approved Design Material- Nurnan Factors Engheerksg Page fu.7-98

System 80+ Design ConeralDocennent j 1 i 2 O e In-Containment Refueling Water Tank component controls are provided to accommodate j 4 operation of (IRWST) components. Process controllers, which are mounted on the ESF Panel, are designed in a consistent manner as other I Nuplex 80+ process controllers, as discussed in RCS panel description (Section 18.7.3.2.2). , 4 Discrete indicators provide display of those parameters associated with each ESF system that provide ! overview indication of system performance. In addition, these indicators provide access to all information j required for continued plant operation after loss of the DPS VDU displays. The DIAS also provides the alarms associated with the systems. The DPS panel mounted VDU provides general monitoring, 7 system / component level and detail / diagnostic information on the ESF systems in a manner consistent with RCS panel design (Section 18.7.3). Control identification,'symbology and hue, along with functional grouping of control and indication, group demarcation and labeling, are in accordance with Nuplex 80+ panel layout criteria (Section 18.7.2) ; and exemplified by the RCS panel description (Section 18.7.3). j 19.7.4.7 Cooling Water Pana! ; The Cooling Water Panel contains those controls and indications that are required for control and ! monitoring of the Ultimate Heat Sink (UHS), Station Service Water System (SSWS) and Component : Cooling Water System (CCWS) non-safety cooling water systems. The CCWS has safety-related and ; non-safety-related subsystems. The controls and indications provided are consistent with Nuplex 80+ standard techniques and { conventions, as exemplified by the RCS panel. l l The component controls associated with each cooling water system are layed out on the panel usmg a . system flowpath miinic format. The panel is divided into functional groups pertaining to Component Cooling Water and Station Service Water / Ultimate Heat Sink System. The functional layout of the l Cooling Water panel is exemplified by Figure 18.7.4-7. Process controllers, which are mounted on the Cooling Water Panel, are designed in a consistent manner i as other process controllers which are covered in Section 18.7.1.7, Process Controllers. ; i The DIAS provides display of those parameters associated with the Cooling Systems to provide overview ! indication of system performance. In addition, these indicators provide access to all information required l for continued plant operation after loss of the DPS VDU displays. The DIAS also presents alarms associated with the cooling water systems. The DPS panel mounted VDU provides general monitoring, system / component level and detail / diagnostic information on the systems in a manner consistent with RCS j panel design (Section 18.7.3). l Control identification, symbology and hue, along with functional grouping of control and indication, j group demarcation and labeling, are in accordance with Nuplex 80+ panel layout criteria (Section 18.7.2) and exemplified by the RCS panel description. l 18.7.4.8 Secondary Cycle Panel ! The haad-y Cycle' Panel has those systems required for control and monitoring of feedwater and j enad=~~, turbine, auxiliaries, excitations and other miscellaneous secondary support systems. These , An , m es o wy,assesaw m ass rw nw sape= 6 , rose rs.7.ss

System 80+ Design ControlDocument systems are required to be operated infrequently during normal operation, or are required to be operated only during plant startup, shutdown, or testing. The controls and indications are provided consistent with Nuplex 80+ standard techniques and conventions, as exemplified by the RCS panel. The systems whose components are mounted on this panel are not required for plant safety; however, the discrete indicator displays contain instrument channels, such as for steam generator (SG) 1 and 2 level, which may be utilized for post-accident monitoring. The display of these instruments on this panel is provided as operator convenience following the standard Nuplex 80+ information display philosophy that instruments used normally are also used during accident conditions. Non-safety and PAMI displays for SG 1 and 2 level and other parameters are also provided on the Feedwater and Condensate Panel on the MC and Engineered Safety Features Panel of the Safety Console. The controls and indications on the secondary cycle panel are broken down into functbnal groups (exemplified on Figure 18.7.4-8):

Steam Bypass Contains the individual turbine bypass valve controls and indications.
Turbine Test Is a panel insert which contains turbine test functions and is provided by the turbine vendor.
Turbine Auxiliaries Contains miscellaneous component controls associated with the turbine (e.g., oil lift pumps, turning gear, emergency oil pumps).
Feedwater Contains those controls and indications associated with the feedwater system such as feedwater pump, oil pumps, low pressure and high pressure feedwater heater controls.
Condenser Vacuum Contains controls and indications for components associated with condenser vacuum (e.g.,

vacuum pumps, vacuum breakers).

Condensate Contains those controls and indications associated with the condensate system such as condensate storage and condensate pump suction and discharge valves.
Auxiliary Steam, Non-critical Main Steam and Extraction Steam Contains controls and indications for those isolation valves associated with the steam systems.
Gland Seal Steam Contains those controls and indications associated with the seal steam supply and exhaust for the main turbine and various steam valve stems.

5ppoved Design Meterial Human factors Engineering Page 18.7-100

System 80 + ' Dealan ContmlDocument Process controllers which are mounted on the Secondary Cycle Panel are designed in a consistent manner , as other process controllers, which are covered in Section 18.7.1.7, Process Controllers. j i The DIAS provides display of those parameters associated with the secondary cycle that provide overview ; indication of system performance. In addition, these indicators provide overview indication of system j performance. In addition, these indicators provide access to all information required for continued plant operation after loss of the DPS .VDU displays. The DIAS also presents alarms associated with the Secondary Cycle systems. The DPS panel mounted VDU provides general monitoring, , e syst. c/cowpegd level and detail / diagnostic information on the systems in a manner consistent with RCS panel design (Section 18.7.3). j l Control identification, symbology and hue, along with functional grouping of control and indication, group demarcation and labeling, are in accordance with Nuplex 80 + panel layout criteria (Section 18.7.2) and exemplified by the RCS panel description. [ t 18.7.4.9 Electrical Distribution Panel The Electrical Distribution Panel has those systems which provue control and monitoring of the auxiliary e power distribution, the emergency diesel generators and alternate AC power source. The controls and i indications on this panel require infrequent monitoring or operation by the operator during normal plant ! operation. The controls and indications are provided consistent with Nuplex 80+ standard techniques and conventions, as exemplified by the RCS panel. The emergency diesel generators and the auxiliary I power distribution are Class IE systems serving electrical trains A and B which are required for plant ' safety. The Altemate AC Power Source is not a safety-related system. The controls and indication on this panel are broken down into functional groups (exemplified on Figure l 18.7.4-9). o Auxiliary Power Distribution Contains those controls and indication associated with the onsite distribution of the major normal and emergency power. f

Alternate AC Source ;

i l Contains those controls and indications for controlling and monitoring the plant specific l alternative AC power supply. ! l

e Diesel Generator 1 Contains those controls cad indications for controlling emergency diesel generator for train A electrical busses.

Diesel Generator 2 i

Same as diesel generator 1, except generator 2 serves train B electrical buses. Individual synchroscopes are mounted in the diesel generator and the alternate AC source functional k groups. This is a departure from the Nuplex 80+ standard indication and monitoring techniques. The approach of using standard, commercially available synchroscopes is necessary, because the Nuplex 80+ 4pmed cosen assesaw mwnsa reenws s mesesqr e rase ts.7 7or

System 80+ Design controlDocument discrete indicator and DPS display technology is not technically appropriate for this application. This results from the real-time concerns associated with developing a synchroscope utilizing multiplexed inputs and outputs. The DIAS provides display of those parameters associated with the emergency power sources and site electrical distrilution and provides overview indication of system performance. In addition, those indicators provide access to all information required for continued plant operation after loss of the DPS VDU displays. The DIAS also provides the alarms associated with the above systems. The DPS panel mounted VDU provides general monitoring, system / component level and detail / diagnostic information on the systems in a manner consistent with RCS panel design (Section 18.7.3.2.1). Control identification, symbology and hue, along with functional grouping of control and indication, group demarcation and labeling, are in accordance with Nuplex 80+ panel layout criteria (Section 18.7.2) and exemplified by the RCS panel description. 18,7.4.10 Switchyard Panel The Switchyard Panel has those systems required for control and monitoring or the main generator and site power connections to the electrical grid. These are required to be operated infrequently during normal operation or are used only during plant startup, shutdown, ok testing. The controls and indications are provided consistent with Nuplex 80+ standard techniques and conventions, as exemplified by the RCS panel. The systems whose components are mounted on this panel are not required for plant safety. The controls and indications on this panel are broken down into functional groups (exemplified on Figure 18.7.4-10):

Generator Excitation Contains those controls and indication associated with the electrical excitation and control of the main generator (e.g., manual voltage regulation, generator field and exciter breaker controls).
Generator Atciliaries 1

Contains miscellaneous component controls associated with the generator (e.g., main seal oil pump, stator coolant pumps).

Hydrogen Supply Contains the controls associated with the hydrogen cooling gas supply to the main generator.
Core Monitor I

Is a vendor supplied insert used for monitoring various parameters of the generator (e.g., l temperatures within various stator locations).

Switchyard Contains the controls and indications for the various breakers connecting the site and main generator to the electrical grid. l Approved Design Metenini Human Factws Engineering Page 18.7102

System,80 + oestan controlDocument ( An individual synchroscope is mounted in the Generator Excitations functional group. This is a departure from the Nuplex 80+ standard indications and monitoring techniques. This approach of using a standard commercially available synchroscope is necessary, because the Nuplex 80+ discrete indicator and DPS display technology is not technically appropriate for this application. This results from the real-time concerns associated with developing a synchroscope utilizing multiplexed inputs and outputs. Space provisions are made on the panel section for a handset for operator communications with the load dispatcher. 3 The DIAS provides display of those parameters associated with the main generator and switchyard electrical that provide overview indication of system perfonnance. In addition, those indicators provide ' access to all information required for continued plant operation after loss of the DPS VDU displays. The DIAS also provides the alarms associated with the switchyard systems. The DPS panel-mounted VDU provides general monitoring, system / system / component level and detail / diagnostic information on the systems in a manner consistent with RCS panel design (Section 18.7.3.2.1). Control identification, symbology and hue, along with functional grouping of control and indication, group demarcation and labeling, are in accordance with Nuplex 80 + panel iayout criteria (Section 18.7.2) and exemplified by the RCS panel description. 18.7.4.11 Heating, Ventilation, and Air Conditioning Panel The Heating, Ventilation, and Air Conditioning (HVAC) Panel contains those controls and indications q that are required for monitoring and control of System 80+ HVAC systems. The controls and indications h on this panel are broken into functional groups (exemplified on Figure 18.7.4-11): e Nuclear Annex Ventilation e Control Complex Ventilation e Fuel Building Ventilation e Diesel Building Ventilation e Annulus Ventilation e Containment Cooling & Ventilation e Turbine Building Ventilation e Station Service Water Pump Structure Ventilation e Radwaste Building Ventilation The controls and indications provided are consistent with Nuplex 80+ standard techniques and conventions as exemplified by the RCS panel. HVAC systems A, B, C, D, and H above as well as the Containment Isolation Functions associated with HVAC systems E, and F above are safety-related. The remainder of the HVAC indications and controls are not related to safety. l ( Approved Deskrr Material Hansen Factors Engmeerksg Page 18.7-103

System 80+ Design ControlDocument Process control modules, which are mounted on the HVAC Panel, are designed in a consistent manner, as other process control modules, which are covered in RCS panel description (Section 18.7.3.2.2). The DIAS provides display of those parameters associated with the HVAC systems that provide overview indication of system performance. In addition, these indicators provide access to all information required for continued plant operation after loss of the DPS VDU displays. The DIAS also provides the alarms associated with the HVAC systems. The DPS panel mounted VDU provides general monitoring, system / component level and detail / diagnostic information on the systems in a manner consistent with RCS panel design (Section 18.7.3.2.1). Control identification, symbology and hue, along with functional grouping control and indication, group demarcation and labeling, are in accordance with panel layout Nuplex 80+ criteria (Section 18.7.2) and exemplified by the RCS panel description. 18.7.4.12 Fire Protection Panel The Fire Protection Panel contains those controls and indications that are required to:

Alert the operator to the existence of fires.
Monitor the performance of fire protection equipment.
Provide manual back up for the automatic fire suppression systems.

The controls and indications are provided consistent with Nuplex 80+ standard techniques and conventions, as exemplified on the RCS panel. The controls and indications associated with the fire protection panel are grouped into functional groups (exemplified on Figure 18.7.4-12):

Fire Protection water supply source, pumps, and headers.
Nuclear Annex fire protection equipment.
Administration, Service Office building, and other buildings and structures outside the Nuclear Island fire protection equipment.
Plant exterior area fire protection equipment.
Turbine area fire protection equipment.
Diesel area fire protection equipment.

The DIAS provides display of those parameters associated with the Fire Protection systems that provide overview indication of system performance. In addition, these indicators provide access to all information required for continued plant operation after loss of the DPS VDU displays. The DIAS also provides the alarms associated with the fire protection systems. DIAS alarm tiles, located on the upper panel section, are provided to notify the operator of the existence of fires within the plant. The DPS panel mounted VDU provides general monitoring, system / component level and detail / diagnostic information on the systems in a manner consistent with RCS panel design (Section 18.7.3.2.1).

 ' Approwd Design Material- Human factors Engineering                                             Page 18.7104

System 80+ Design ControlDocument

    /
   !  /    Control identification, symbology and hue, along with functional grouping of control and indication, V       group demarcation and labeling, are in accordance with Nuplex 80 + panel layout criteria (Section 18.7.2) i and exemplified by the RCS panel description.                                                                I l

18.7.4.13 [ Deleted] l

          '18.7.4.14         Control Room Supervisors Console The Control Room Supervisors (CRS) Console and De:;k provide a workstation from which the Control            l room supervision can coordinate and monitor plant operations. The SROs workstation is made up of two sections, the CRS Console, and CRS Desk, as exemplified in Figures 18.7.4-13 and 18.7.4-14.

The CRS Console sections allows the CRS to face into the controlling workspace and view the IPSO, MCC and ACSC panels. In addition, the console has two DPS VDUs to allow the CRS to access plant information. The DPS display pages are the same format as utilized throughout the Nuplex 80+ Advanced Control Complex, and have the same capabilities (e.g., alarm acknowledgement via touch targets). In addition, a keyboard is provided to allow data entry by the CRS that may be time consuming with the touch screens. Provision is made on the console for providing various communication interfaces, which the CRS needs to access (e.g., paging system, intercom, sound powered and the phone circuits). The following communication features are provided on the CRS console: o Intra-plant System Telephones These telephones provide independent communication throughout the plant and plant site. To ensure its functional operability, a switching feature is provided to allow switchover to redundant circuit electronics, controls, and power supplies. Emergency power is provided from a standby diesel generator, which will automatically statt and accept load should normal power be lost. e Intra-plant Public Address Telephones ! These telephones provide two independent channels of conununications throughout the plant and plant site. These independent channels are page and part line. The page channel provides communications over loud speakers with integral amplifiers. Page channel speaker-amplifiers are ring wired to preclude loss of system function in the event of a single cable failure. Paging is ac.:omplished via the use of either dedicated PA party-line handsets, or via the use of Inter-plant telephone handsets. The connection between the Inter-plant and PA systems is through an isolation device to preserve the independence of the two systems, e intra-plant Sound-powered Telephones Intra-plant sound-powered telephones, independent of the Inter-plant and PA systems, are provided on the communications panel to provide the following communications during normal and abnormal / accident conditions: O G

           ?, - 2 Design Meteriel. Human Factors Engheering                                                Pope 18.7105

System 80+ Design ControlDocument !

1. Maintenance Provides communication to phone jack locations throughout the plant which can be patched together, as necessary.

2. Refueling Provides communications to areas required for refueling operations.

3. Emergency Provides communications to phone jack locations in specific areas of the plant for the purpose of communication during auxiliary shutdown operations.

The emergency sound-powered telephone system is powered from diesel backed power sources.

Offsite Communications Emergency offsite communications, independent of the interplant telephone switch, is provided by public telephone lines and the utility private network lines connected directly to specific telephones located in critical areas of the plant and support facilities. Emergency telephones are color-coded to distinguish them from the intraplant telephone system. The emergency telephones include, but are not limited to, the following:

i

1. Emergency Notifications System (ENS)

Provides a communications link with the Nuclear Regulatory Commission.

2. Health Physics Network (HPN)

Provides a conununications link with the NRC's health physics personnel.

3. Ringdown Phone System j 1

Provides communications link with local and state agencies, j i In addition, a security radio system is provided in accordance with 10 CFR 73.55(f), and a crisis ! management radio system is provided in accordance with NUREG-0654. l 1 l Additional communication features are provided at other panel locations within the control room to allow i I operations personnel to communicate with maintenance, auxiliary operations, and administrative personnel. Storage provisions are made at the console in two forms: 3 Drawers - located under the DPS VDU sections. 4

Bookcases -located in the lower section of the console and accessible from the controllmg workspace.

Approvett Design Atatories. Human factors Engheermg Page 18.7106

System 80+ oeskn controlDocument Sufficient desk space has been provided at the console to allow the CRS to layout procedures and paperwork, as maybe required in his plant monitoring activities. These features are shown on Figure 18.7.4-13. By swiveling his chair around, the CRS is facing the desk section of his workstation. This desk is used by the CRS as laydown space and to interface with maintenance and other personnel, while limiting their access to the controlling workspace. Storage space in the form of drawers and bookcases are also provided at this desk. The CRS design is shown in Figure 18.7.4-14. The arrangement of the CRS workspace provides sufficient space for two persons to utilize the DPS VDUs for information access without overcrowding. References for Section 18.7

1. "The Experimental Evaluation of the Success Path Monitoring Sys!*m:" Marshall and Gaudio, IEEE Fourth Conference on Human Factors and Power Plants, June 1C.

2. "ABB/CE Letter to the NRC," LD-92-102, September 23,1992.

3. "Nuplex 80+ Verification Analysis Report," NPX-TE-790-01.

V e

v Apnerovent Deekrr nienwief . Numan Fectors L,.: - ; 4 Page 18.7-107

_ a , - - , , , , , . u , - , - - , - -

                                                                        ~                            ~

ll In wlI - - g

   )                    i   is    ll_                          "

O I a= !i

h bh i

[t 1 l

       '                l   i                            -

ige .. .. V l: 1 a F - l lF rb h l: - IE g l: e w -e l4"

         !                  I     E                    ~
                            -      i,t               -
                            !     [                .

j i

i i ib l i iI 1 _15 E tl:,

             .r               is  +p
                                                                    -                                        4 a

3 gi

             ;                e     ll:

l 2

              !!.             ll    li 1

i l i I ! ! $ i i= i-

                                         !- i s          1 E
                                                          ! 3i l i
                                                                =

i I, l l i l i GI

     ,i                                     n    l l l                                             I, ;e a,                          i, s s. . . . i. !, l_le n

a i. .

_ t_ 9 _ n .

         .                       o)       M                                                                              0 e                   sN TR   E   O 4, 1

EI 1 T 7, m u10s E Vt Ts u uI1D 1o 1 o( t 8 c wIU AH 1 o aGC LC P ll e O 4, P D E R A g tE T 0 a J l o r S w o %, ll p t T A & n R MID St L( o t R A T4, ll C s s A AF l.O s s, n A A 1, g R P1( i Il s D W 2, e I A O 1 L1 D P Il G D T) ,

                                 &        E e 1, T       M       t0            Il T       R I        A           5, L

M E A 0 Il T N D M I E R( A) t X T M G X t II F T H) Gf I X H( II 2 tF %, X Rt U( s _ o P N l II te I E a D G t U N) x E s C A( f _. R O. R O II l w o E 3 l e _ C T) 1 X X y 1T 1( _ D M 1I i ty s S A) I n E U TO C te H lI i n e n) i1, w o Lt l E( T d lI n E U2, a

                                                         =                                                            y E.0 B                                                                         i t

II s e l n E E 4, e t t e lG t n o o II i C h

h. ig 0 II h TTE N EcF ht GaA IO4 T1, o RL AEME TS B U0 b E

II m 8 o r G S E E L t ) l t E( f t y P D i l A N i H U b S II a D I s a i n A m u 3, m F i O R a1( r c .

                                 &        B                                                                         i s          _

M II d . R M3 e A Ot D( t L II u - A lo VEo 4, s E D 1, b Dt vG II a S,T s t R0 ) i s E S EM1 1U M e c E D P fU+. n a O A C H II h E 5 NW n e P A N W o 4, N H IO DRRt i o S T D A t C ll ) E II y RI W a r D N g eR1O4 x t AR( ht i II t r s L4 i w a e IL 1, i u Ft( d h v II le u W )a u l g - w D4 d i r iS uU 111

                                                                                                         )a ta(              ,

i T tU( t add d s.

                                    . AT  H Dct ea o                                        II m               i T C                       _S    SE D                                                e t

t ta u , O H 4,

                                    . S                                                    s               S( ta
             +                                                                                                           E C                                                y            -

s w RT0 CA S a t e s 0 i ynd r H o 8 l1 m De s t c x e M FE LP E S I 4 l r a ( t n a.ywi a F l p eA cM R F1 Y1 X mA e e mo n ol l - u eI r 5( A ts& yn r s o pCey . N Sgt io e md y : _ T ll oeti - R na oCnsen t O R isi c t r M 3 A T sd en nd ote un mte t w e

  )         1                             T S

U l s 1 t n S T A cI o s Cnriet s M

    , +     1
                -                         T m

T A a u D T A L L F D E U E U R Pr tehe e s mn m p f% 0 8 7 T g n a T S R a A M A M t l A T A A I I L A V L A V C W O tars ct ai c e uI s c r -ndu iwrots o e n m 8 1 r 1 1 L L A o F e D C T A G N G N 1 L F : DDSPInNM O d o E W T C I S 3 D, S e e M A I e E W E C M A E EE E v o t s l T o A T f r A

                                                                            '9t R R VU T                                  r b                                        s r                     R T     A    M       C oL                                    p y      a                                      e    vA   A D

W n r E? 9 T D G C M 1 tA AV O) ))))) ) 234567 p S T r T R f t N1(((((( ( A

System 80+ Design ControlDocument Table 18.7.3-1 RCS Gross Functions and Subfunctions Calibration of RCP Instruments Calibration of RCP Seal lajection System Instruments Calibration of RCS Instruments Calibration of RCS Pressure Collapse RCS Voids Compensate for RCS Shnnkage Confirm RCS Inventory Control Control RCP Seal Injection Control RCS Depressurization, Heat Removal Control RCS Pressure (method 1) (method 2) Control RCS and Core licat Removal Control RCS licat input Control RCS Inventory Recirculation Control RCS Inventory Determine if Conditions Permit RCP Start Determine Need for Main or Auxiliary Pzr Spray Determine need for Forced Cooling Determine Present l{ cat Removal Adequacy Diagnose Reactor Trip Ensure Core / Vessel Material Integrity Ensure Electrical Power to RCPs Ensure Proper Diagnosis of Excess Steam Demand Event Ensure Valve Alignments for less of Coolant Accident Ensure Vessel P-T Limits Maintained Evaluate RCS Leakage - Off Normal isolate LOCA Outside Containment Isolate letdown isolate RCP Controlled Bleedeff Isolate RCS to CCW 12akage Ixtdown RCS Expansion During Heatup Approved Des.lgn Material . Human Factors Engineering Page 18.7110

System 80+ - Design Control Document r ( Table 18.7.31 RCS Gross Functions and Subfunctions (Cont'd.) Maintain Control of RCS Heat Removal Maintain Control of RCS Pressure Maintain Core Heat Removal Maintain RCP Motor and Seal Cooling Maintain RCP Seal Injection Maintain RCS Heat Removal Maintain RCS Inventory Maintain RCS Parameters Maintain RCS Pressure Maintain Core Heat Removal Maintain Equipment Cooling Monitor RCP Operating Limits Monitor RCP Scal / Bleed System Monitor RCS for P.T Violations Monitor RCS Heat Removal Monitor RCS Inventory Monitor RCS Inventory Recirculation Monitor RCS Parameters for Natural Circulation Monitor RCS Parameters for Forced Circulation Monitor RCS Pressure Monitor SCS Parameters Monitor Core Heat Removal Monitor for less of Coolant Accident Termination Criteria Monitor for less of Feedwater Termination Criteria Monitor for Excess Steam Demand Event Termination Criteria Monitor Inventory Sources Monitor / Control RCS Voiding NSS Maintenance Activity Control Natural Circulation [] Operation with RCP(s) Out of Service Safety Valve Position Creci Approved Dee> nesserini . Nanen Fec'aors L,-. -

                                                  -:. ;                                  Page 18.7-r11

System 80+ Design ControlDocument Table 18.7.3-1 RCS Gross Functions and Subfunctions (Cont'd.) Perform Pre Start Checkoff L.ist Perform Pressurizer Heatup Perform Reactor Coolant Heatup Using RCPs Record Time for Accidents Record and Measure Data During Startup Restart RCPs Perform Standard Post Trip Actions Start RCP Stop all RCPs Stop Two RCPs Stop the Cooldown Verify Natural Circulation Cooling _ O O Approved Desiger Materini Hanen factors Engineering Page 18.7-112

Sy.~ tem 80+ Desian control occument A Table 18.7.3-2 RCS Panel Switch Descriptions Switch Type Region Color Information Type A. 1 Blue Alpha-numeric (component ID) 2 Red Graphic (valve symbol) 3 Green Alpha (function) B. 1 Red Alpha-numeric (component ID) 2 Red Graphic (valve symbol) 3 Green Alpha (function) C. 1 Red Alpha-numeric (component ID) 2 Red Graphic (positive displacement pump) 3 Green Alpha (function) D. I Red Alpha-numeric (component ID) 2 Red Graphic (centrifugal pump) _. 3 Green ' Alpha (function) E. 1 Red Alpha-nutneric (component ID) 2 Red Graphic (heater) 3 Green Alpha (function) 4 Blue Alpha (function auto) F. I Red Alpha-numeric (component ID) 2 Red Graphic (heater) 3 Green Alpha (function) G. I White Alpha (function) 1 O AnwoM Dee# MewM heen Fachws hegemakeg Pope 18.7113

l l l ? Srtem (0 + Design ControlDocument j l l Table 18.7.3-3 RCS Panel Switch Identification Component ID (Region 1) Switch Types Descriptor of Function (Region 3) RC-446 B HP Cooler Inlet Isol RC-450 B HP Cooler Outlet Isol RCP-1A C Reactor Coolant Pump OL-1 A D Oil Lift thunp RC-430 B Bleedoff Isolation RC-447 B HP Cooler Inlet Isol RC-451 B HP Cooler Outlet isol RCP-1B C Reactor Coolant Pump OL-1B D Oil Lift Pump RC-431 i B Bleedoff Isolation RC-448 B HP Cooler Inlet Isol RC-452 B HP Cooler Outlet Isol RCP-2A C Reactor Coolant Pump Ole 2A D Oil Lift Pump RC-432 B Bleedoff Isolation RC-449 B HP Cooler Inlet Isol RC-453 B HP Cooler Outlet Isol RCP-2B C Reactor Coolant Pump OL-2B D Oil Lift Pump RC-433 B Bleedoff isolation CH-241 A Seal Inj to RCP-1 A CH-242 A Seal Inj to RCP-1B CH-243 A Seal Inj to RCP-2A CH-244 A Seal Inj to RCP-2B CH-255 B Seal Inj Catmt Isol CH-231 A Seal Inj Temp Cnt! CH-205 B Aux Spray Isol RC-100E A RCP-IA Spray Isol RC-100F A RCP-1B Spray Isol Approved Design Material- Human Factors Engineering Page 18.7-114

System 80+ Design ControlDocument Table 18.7.3-3 RCS Panel Switch Identification (Cont'd.) Component ID (Region 1) Switch Types Descriptor of Function (Region 3) GRP-B1 E PZR B/U Htr Cnti GRP-B2 E PZR B/U Htr Cnt! GRP-B3 E PZR B/U Htr Catl GRP-B4 E PZR B/U Htr Catl GRP B5 E PZR B/U Htr Cnti GRP-B6 E PZR B/U Htr Cnt! GRP-B7 E PZR B/U Mtr Catl GRP-B8 E PZR B/U Htr Cnt! GRP-1 F PZR Prop Htr Bkr Cnti GRP-2 F PZR Prop Htr Bkr Cnt! CH-515 B Letdown Isol CH-516 B Letdown B/U Isol ( Lamp Test G N/A 't T

v 4 proved Deeips Meteriel Namnerr Factors E:, _----@ Page 18.7-115

l Syntem 80+ Dehn ControlDocurnent O s _g Ii( Y! t s

                                          =e                                                    c E

c 43 - e

                                   '!                                                       /

Ee IEl

^*

s k ,y uns m e m ._ x m g LD giuiingo E ED D s -- lolil8 o W {'D __g'"I"'fa ED

                                                 <J                        E!<          5$

ger d ~- P 9

                                                                           .6@            u Integrated Information Presentation                                                  Figure 18.7.1-1 Approved Design Material Human factors Engineering                                                     Page 18.7-116 1_                                           __          _ _ _ _ _ .

m 3 (V (V ,. ,= I a @. I. a a 1 R a g iL = t j o 5 a

      !           8..,.-,.

[A P T N. v. RxC IC PC S/F 9 . . . . . . . . ... .. _ w $ CS CH RH CI EG si . .

                                                            '%s
$     I a       /[**I
              ,    C              '

[ ' s 3r

CE IRR VA HR

                                                                            ---=                     =--

He 1255 E

          /l               ><
                        'rSD        Pv
                                                                   \\   ^

W3 v ( a - 2181 ? , e pr gL t" -- L

                                                              ,                            n n

m (\,sc

                              ..J .->       PRI
                                            -            i                                     TB                %
             ,*                                       q        g S

T My AT 25 Ta 598 2 <3 CD

                                                                                   <I          (,~ F     )

M 4 FW 4 [ 4g RC EF DG y . 5 R x P 100.0 6 A A A A A A E

       $                            CH LD            SI     SC          IA CC                   SW         CW             T a

1 0 ii a

Sy3 tem 80+ Design Control Document h k gl 5 T 9; a

gg % ; Uh j b

                                            ,                      a
                                                       ~

j/

                                          '     (      a il y
                     '                                             e                         0
                            \             e             8 h         ,

I Ie ( /8 el I 4 a 1 DPS Display Page Hierarchy Figure 18.7.1-3 Awoved Design Meterial . Hornan Factors Engmeeting Page 18.7-118

Sy~t m 80+ Design controlo cument i f PRI SEC PWR ELE AUX OTHR O

                      ""*l      {CFli 6  Display Page Menu Option Region                                                                   Figure 18.7.1-4 Aptnnd Design Materiet - Human factors Enginmktg                                                                                                     Page 18.7-119

i 1I' !i l1I l:! i if l{ j lfi 0 Dgg:: ( ae8 E _ $n3 0 + e A 5 L T nX J PA : 9 8 h T N C A D g L

                                                                           *FI g 1

_ 2 , 1 s a _ E T 9 R [I E 9 h O C c C U O H _ 6 H e U _ 1 S LT h C U C FH FE E = R L E E P S O gTgg 1 _ h 2 1 L _ L L [ R N e _ H

                                              -             '                                           T

_ 4: Ls O g

_ b

                                                                                'L,;g                   X c                                                                                   U

_ n h A I s

/*

w

                                              ,              M                  d
                                                                                              -         E.

_ n ~ l i E r 4 ^ l e R _ e n . i B E i R W E i I h J i p~ P . E g n R P i l E^ 9 E. C E S . n . o i I _ t N " R I ' s C P _ u p : _ b h D S M # I m o 0 R C . C ._ s 0 e N " 9 r S I ' 9 h I : U 1 S M " $

             !5             4 P;itElf                                                        ! 5 9,yta kt e             5k

fg - 5

w3[ a + f..OE= R5a~ - s .

'i

: : __~- -

           .                                                 s                                                                                -
                                                           'i                        : :~[~- e                                                -

l

           .                                               h,                    e e
                                                                                            'Gt S/e 2                                              g                 s              3t                  ,
                                                               ,            1'

go u -

.v

s. s g

                                                                        /                                 ,
                                                                                                                 ;t

_ . l

           . t                                                                                                                  E           _
                                                                                                                   ,_          sag
           ,. rn) r
                                                                                        *-                                       e SwA ETP C
                                            #                e
                                                                                                        + 3 t

e CnC CoI

                                                         =                                                                         T
                                                                                                                   .L E f ArS

( n E

                                  -            :                                                       3,E         E  E        KeO L ._    . 2            -

g3 e " " Tg,L S r o S Cu N ss u G Oi 3, g s 8 oA aTI R rl PL rw "" " -Cu 2 1 4 D T . . * . 0 e 5

                                                                                     . 5 s 5                          3 N                      T s

2 i i 3 1 O :

                                     .u
                                                    ,                                       H         G C         f' r :,,                                              Ai  l         H C

gI L R H x T Y 4 ; x 0

                                                                  ..      5 5                                         R
             .R            ? ;                 W.        e.

1 6 6 S NO l Z, l X

                                                                                          ,     a    a      .-

O Y - 4 = h c I , p s p s C U A T T

            .T                                                    ,       T   T                                       C E                   -         L                         C      . e    e    .              l s                  .                E R    E
            .N             F A

S s s s e < J N L E

           .,E              -          - -               a                         I      g     F   F     r        . l
           .                                             z                                                         r
           .V                                            r        ,(               Y                               o       R l
           .N

T E A A A A .

i P

. I

F ,.

l

A . C e , C
S ,

s E S

            .                                             b               2 9 r'-
                                                                                                                   .p c     l
                                                      '                   2                                        =2      I s                                                         6 2        r                                     R
           . n                                     '                                                            ,51     P n

a. " On TM EM 1 s

                                                                                                               \ e. /

2 l l i

           . t a                                                         C S ,L
                                                                                     -                   aA A E       i       F C

s c i sR EA o. 4 l r c - d . m / i.2 c2 9 E y a g

           .                                                     e. . x 1 H w # aj* { EB kE y"E                                              8 g5,a 8 .,{                             m        8A w#

gi E% s'1 lL { yg 5 lI j J ,

                                                  '                                          'i     .!
  =!s % +                                                                               eh.     ! eii~

O W U N Qv A E . 0 R M i 3 G . - h. I M . 0 I A i2 P - L I N E

/a/

D E

                                                           .         .              I M

V T A

.                     E               S io-L               N                   .         .

I OU W . O . C . I iO o L

-                                    A V 0                      0            ,/. O 0                  5 1I H

U J_l P A R G N E M 0 0 s' s o 0

t 5 3 0 2 0 2 O II Il iI Il o 5 C o5 3 eo I 2o I E + L2l S R) II II i U Ii 1 l il 1I S S {g o o 0 5 Y 4 B - E 4 4 e 3 o 3 O S S SS e0 2 o 2 c 2 2 S 5 R Ep

                                           +         2      2                    E R

P lI lI II lI II Il iI iI 3

                                                                           - 2 P

R( o 0 5 x 8 A - 2 C o3 l P eo 3 A 2 o t 3 o 2 c 3 0 2 9 L A

                                           +         2   n 2      2     1        C II        lI     1i     iiIi E                0          0 GR               0     o0           s NZ               8     o5           cA AP               '

s2 aP_4 R 0 i

                                                                     'o I

EaiiE1$xiEv{;plS t 2gbu i

                                                                                                    -    e Itei5I f i$                                                                                     l n%4'

                                          -~_               -                                    .-                      . - . . -    - .

I i l System 80+ Deskn ControlDocument l l l s ,'& 3 PDIELS E #DCELS g\ l I / m

                            -           MGM MTEN0tTt YELLOW             ~

MTENSTTV YELLOW

                             ~
                               '        /       /                    N l

few PWOftfY1 EXISTMG PRIORffY 1 4 s l l l / W M4 MTBGBffY YELLCW p

                                                                       ~
                            %                                                                                REDIUM e--- MTBtBITY

_ % YELLOW

                                       / /           l          l IEW PRIONTY 2                       EXISTING Pf00RTTY 2                                          )

s 11 I

                                                                   /_               '      '                  BEDUM T                                              StIENST1Y
                                      -    MGH ptTENSITY           -        -                     -           YELLOW                       i YELLOW                    %                                                                l
                             ~

l l \ ' '

                                        / /                      l
                                                                         \

NEW PfWORITY 3 EXETWO PftlOfWTY 3 Description of Nuplex 80+ Alann Coding Features Figure 18.7.1-8 hinwoved Des 9n Meredel. fAnnen facttws EH Page Ts.7.T2.7

i M T F 1 a 1 il e 9 E t ,i UNACKNOWLEDGED ALARMS %

5 TITLE DESCRIPTION SET POINT VALUE TIME PRI

RCS PANELt RCS CONTROL (level 2)
15:14:28 p RCS TEMP HIGH g RCS Thot HI XXXXX /XXXXX g RCS Tcold H1 XXXXX /XXXXX 15:14:26 PZR LEVEL / RELIEF @ PZR LEVEL ERROR LOW XXXXX /XXXXX 15:14:2 6

                                 @ PZR SAFETY TO ROT TEMP HI XXXXX       /XXXXX     15:14:26 l

PRI t CVCS PANEL: CHG/ LETDOWN tievel 2) LTDN HOR E LTON HX INLET TEMP HI XXXXX /XXXXX 15:14:28 E HIGH LETDOWN PRESSURE XXXXX /XXXXX 15:14:26 . VCT PRESS / TEMP @ VCT PRESSURE HIGH XXXXX /XXXXX 15:14:26 VCT TEMP HIGH XXXXX / X' .XX X 15:14:26 l l ACXNOWLEDGE PAGE l o u N OPER CLR

        ';-                                                      SEL                             :a e

o p$ CFM PRI SEC PWR ELE AUX OTHR l - - B

   .                                                                                             a    ,
   's                                                                                            i E                                                                                             a

O O

 >  T

1 1

E i a-e 3 F r = t o

 .=    _s                                                                                                                                                           +

E m E SEAL / I" RCs

      ;      BLEED r

, p 1 a

 !     g    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

i : SEAL :

            .                     . :. PZR .: .: PZR :: PZR :: RCS :           ..                          -                     -

e_ :T/BLD:

PRESS:

PRESS.::

Hi :: LEVEL::

Hi :: SFTY ::

TEMP H1 a

p . . . . . . . . . . . . . . . . . . . . . . . . g : PZR .: PZR : PRESS: . . m iPRESS: LEVEL : LO : ' 9 I i L'O W i LOW iT2/L2i

            .: SEAL /i              iRC VSL:                                          :

RCS RCS : - '

BLD : : VENT / :

LOOP

OPER :-

SYS

SEAL :

VAL ::T DEV: :: ESTB :-: 3C :..........: :..........: :..........::..........: :..........: a 5 ^%" t c'e^a 2PZR LEVEL LOW r- G 3 e

{ - e a a

 ~                                                                                                                                                                   s o,                                                                                                                                                                 -

{g Ta E a S

 $       i                                                                          +

s s. 5

  -     ,F 1

4 E ALARM TILE STATUS ALARM DESCRIPTION t L i d PZR LEVEL LOW [ PZR @ PZR LEVEL ERROR LOW g LEVEL K LOW r S l ALARM ^ STATUS ,f " *3 es:34 v 2 ^'^QM CLEAR g us . g

         -                                                                           ?

V t

         =                                                                           o 3
  ?                                                                                  l E                                                                                  1 l      9     _ - -       - - - - -         -

e . e

t 3 (, ,) ! i

                                         \,,)                                 \J                      q ,/

7, 1 $,

P i E L' I m = o i ESF UNAVAILABILITY MONITORING + 1 E fa 7 i SIS CS EFV

e i [ e TRAIN 2 . A i E t n - I TRAIN C _; TRAIN B m TRAIN

                                             !!      D E                                                              D 9                                                              &

[* ALARM CLEAR h LIST g g a k - E c

4 i i

{ Y $ i i $ f 2 c. T F [ m CRITICAL FUNCTION M O N I T O R I N G (CFM) 1.evel i D { [ REACTIVITY CHIR _

- E ~:: : '. _"EiE.;E : ~;

j... .:l. ! . . > [ 8 -

                                                                          -                                  ~:..J~

h SAFETY FU CTIDH

   !   !                                                                                              STATUS CKECX MM                                                       CHNT ISOLATI0H         Rx Trip LOCA y                        - - - -

Recoverg , SGTR ESDE i i CHMT EHUIROH : :::E:' ;-: ;E. UITAL AUX LOAF LOOP STAT 10H FUNCT10AL BLACK 0UT REC 0VERY

       $a                                                                                                                GUIDELIHE 5

sE" CLR [

                                                                                                                                                 =
                @ {_PRI             SEC   PWR      ELE  AUX
                                                                                                                                                ]s f -

e 5 a

   ?                                                                                                                                             3 5                                                                                                                                             k O                                                          O                                             .

O

w5$ =o+ eIg nl iia' - O 8 5 1 2

: - ~ -

i 8 8 1 : : ~ - .

                                                    )                        e             o sl

N s s / v#

2 I i 3L t r \ H i ( / a

                   .                           i5 w                              -                                                                                        .

L L r * -

                                                                                             -                            R n                                                      l L

r C c Mi9 + D - ( R L

                                                                                             ---           nLEA E        E P E L8 8           _

e " uE t SB L O S O1 C --- n 9 R . a 5 _- --- C 9 T . 8 9 e 0 e. N T S

                                                                                  . 5 2   5     1 5                       :

2 O 5 4 T N G 1 - C gI R 1 D R AT B L H C R H T O Y R G q 7 x e. 7 X 6 4 7 9 5 5 5 7 N a D X O Y 5 h O I p p e p m p U A T T P c I . s s s E S E S T T C . e e e E N F A D S L E J L E S

                          -           -  $   R           ,

N I r F F F E V Z P Y w R W A kJ F . N 4 i E A A L o P 9 F - I 7 A . C D w5 1 9 C S o9 E L7 S E - 1 L 4 r'- e 3 7 r r/ I 6 u R sa P si T es n a EE, 5 C P rp 8 F C r8 21 P2 '

                                                       -       d      .                                                           *,

9 8 ev% a1 0 E "e k 1 HL O ?$ 2=H mj . h 3 y 1 ". r {1 rg =.* k I a%e

{ Y o- $ E

e 5

l' "a g 9 SAFETY I H J E C T I O N (crn) L.v.i 3 % I ~ + SIT i h 2 k L Sitn ( R SI-311 { P 1646 SI-315 F 52 P 1642 g h SIT 3 y } g OPERMOR AD L 79in

O s e II'381 T 75 k S RU3 k
L 152 i n 8I"313 ~

C C pq g F G P 7 % LOOP g l 51-395 SI-317 HpT LEG ' i SIT 2

                                                        $1-319 L Sin n P 1644                    F A9            P 1642 IRWST                                    SI-314                ggy 4 L 81&n O                                                     s e SI-399            P 164 5 g            F 58            P 1641
                                                                                             ) g4 SI-312 T          F    9          P    7 9            II      II         HOT LEG                  ) LOOP 4

3 31-384 SI-316 S 3 oPnR g SEL y O 4 t

            'a" cRI PRI     SEc
                                                                                                          $=   ;

PilR ELE AUX- OTHR g y octanon Ao k 1 - n ii ! O O - - O _

    .!    ! :      -:         :.'          '                              ,[f                  .'       .!i   i   : 1;
       =E[ % +                                                                                       {          ,

_O l I ) _ N l l M P. T 6 0 O

.                         N                     2 0          P                  % U     3 1 1 0

I TPL W t a 2 G 0 P 0 T 2

                                                                                           -      COO E

O - 4 U OR _ D T u N a l F 0 9 O @MCH S LT C BN IUO u E i-l l TSC . A L 0 T l 0 - S

                                                                                  ~2-        I    (

l l 2. ~ l I ) L N O l - O G l W

T

                                                                              % U I

R 2 P TPL T N 1 G 0 P 2 COO _ N G O R I o T u l F 0 0 1 0 T U 5 O EOR S LT C BN A A IUO C H TSC _ A _ C 0 0 T _ L l

                                                       ~                      -
                                                                                  ~2-             S

( E l 2.- I V I E _ L ) N _ O _ O I _ R T C E Z I E S R I C U M A S N S Y D E ( R _ P I l . l I O _ P _ l OP

                                                             % P.                                 IO L

o T

                                            % O 0       ua       0    S-T OL E   u             5                4    S                               CLO E R A             5        v       5 R  R                               SRT V     -                                                                                       _

E w l 5 CEN ITO L E 5 TSC S 5 AA l 5 TM . : .- _ ~ . - "5 S l

5. - " I (

O E 7[ t {g4 Eg" 3 E9Ie _ 4;i l p[ ?I ' L* 2* 5 2

I h I Ki n as a t a F E? % t 1 %g + l

 !   15                              l   PRESSURIZER LEVEL CONTROL                         l 1    Em j-             LEVEL        l                               l    CHARGING         ll         LETDOWN           ]

f E

P l i 8 g PZR N N N ' MANUAL T } SEMI-AUTO l AUTO l I m K 5 55.0% 20

                                                                                             +20 VAL" COMP                     O2 GPM                       80 GPM 55.0%_

5- VAllO F-212 F-202 l (- 4 = . 450.F , O - VALID-T 1 - DO % %% f

                 ~
                    ;$$$  5A.0%                                        _

N RRS-SP. 54.5% 450_ inns 1ta-SP. OPER-SP. g

L-NOA T-lOla Er [, - 55.5% 450 *F

j. -

L-ROB T-IOe OUTPUT - OUTPUT a -

               -5                                                   -20                       -20 55.0%                              lf-gp6,                     dff, m

L-03N

                                                                             '@                          CH-2OIQ         [

e-i & l 1 F M 4 O 5 1 '3 g 5 5 l E I

O O O i f

                                                                                                                                                                                                                                       'n n                                                                                                                                                                                                       5 ly     1 L
                                                                                                                                                                                                                                        +

4 l PRESSURIZER LEVEL CONTROL l I li' 1 l LEVEL l l CHARGING l[ LETDOWN l

                          ?                                                                SEMI-AUTO l EN D N                                         AUTO                         l SEW-AUTO l
                          -    a                                    ..                                                                        ..                                   2.

90 GPM - - 55.ox lo2 GPM 90 GPM sanSTER4P. VALIO F-212 F-202 l t [ - p m- . g 53351 54.0% . _ 100 GPM 90 GPM nns-sr. 2 open-w. j 1*

A* ~

e.

ioo 2 so.ox 4o.ox h [g -s

                                                                       ;                                      GN l h! !

l ! m

                                                                                                                                               -zo OUTPUT               _
                                                                                                                                                                                  -zo OUTPUT i

O V WM CH-2OIQ CLEAR g

                                 .                                                                                                                                                                                                      e e                                                                                                                                                                                                      I

f 5

t ___

i

           , .                                                                                                              s
           !                                                                                                              .1

[

lI y j

! l {E % l -( IPRESSURIZER LEVEL CONTROL l

{ m l LEVEL l l CHARGING ll LETDOWN l LD N N N AUTO MANUAL i g SEMI-AUTO l [ ir +5 +20 +20 , AUTO 40.0% - ~

               "                       55.0%                                     102 GPM                    90 GPM d
                            -          VALID       Ms          OUTPUT l F-212                    l F-202 i

ioO _

55551 54.0%

_ 100 GPM 90 GPM g , RRS-EP. - instem se. l$$$ OPER-SP. a UP :' *

i g - -

                                                                          ~                      ~

50 - 50.0% 40.0% ( OUTPUT OUTPUT

                         -5                              -         DN  -20                    -20 0-Y                                         WNi CH-2OIQ CLEAR                                                           {

a f t i 5 o 3 5 y , G - _ __ G G

1 , e

                       !!                                                                                                                                                                                                                                  E n

e a n f -

                       }                          t                                                                                                        .                                                                                               8 E.                                                                                                                                                                                                       +

5 it l PRESSURIZER LEVEL CONTROLI lg f I LEVEL l N N VN l CHARGING ll LETDOWN l l SEMI-AUTO l l AUTO l MANUAL l j [ g +5 +2e +20

g CH-20P CH-2OIO - gg gg , VALID , F-212 , F-202 l l ~ 58551 54.o% nns-sr.

SELECT

                                                                                                                                                             ~
                                                                                                                                                                           . 0,M m,

oo -

                                                                                                                    /                                                                                                              oPER-SP.

E - f so.ox 400X

                                                  ,it_                 _                                       CLOSE                                                                                                                                                        ;

8 - _ OUTPUT - OUTPUT

                                                                  -5                                                                                -20                                                     -20 i

MM : CH-200 CLEAR P 5 9 t l 9 Y l

                                                  $                                                                                                                                                                                                        o                !'

5 8, r i, N __ t a

. - . . . , - . . . - . . - - - , . , , . . -              . . , . , .                   .        , ,             .           ~ __       .                       . . . . .     . . _ - - - - _ . - - . _ _ _ _ - _ . . _ _ - -                                      . _ .

1 o I=t 3 it ' a i aB. 3

 .F   y i   =                                                                                   8
                                                                                          +

5 [

  !  i                 IRCP   IA                     IRCPlaI f   ?                                      SEAL '
  }   [    SEAL #2                   sasm      LET PRESS                   "^*

I INLET PRESS - 2000 PSIG e-a 3 I i 900 3S"G se^'

2 j !.

~-

2500 - P-6 E ^' INLET PRESS 900 PSIG P-Q f/ i!

SEAL *I

! {a 2000; gg OUTI,.ET TEMP T-167 SIS

ISO F -

5' isoo i ! PUMP a SEAL

2 PUMP &

g NORMAL MTR MTR PS19 : OUTI,.ET TEMP

                     '000T                   15 3 F                T-191 3            OIL                                   OIL 500--            SYS                                  SYS 2                  0-                                                     h          if 5

a 9 a

      $4
      -                                                                                   e

_ S M C

  -                                                                                       a
    #                                  9                 - - - - -           -

e - - _

            - .       ..    .          - . - . - - ~      . . .          -   . - . . . .  .  . . . = . .            .           . . . . . . - .

System 80+ Design ControlDocu.mt A O N ! i 4 4 I4 g 4

                                                                "                                                                               [

t i , = E a

, l<

IlIl"? ; O i a 2 H l y i

                           =      ' gl                                 =   =                ll                        =

l=

                                                      ,                                     9 Control Panel Layout Configuntion                                                       Figure 18.7.2-1 Anorowd Decipn A000enie! Nsunen factors Erwheering                                                    Page 18.7137

System 80+

Design contro! Document 9 1 X VA_VE y 3-WAY VA_VE CEN ~~ 9 :: =UGA r _

1 DUV3 0 3 0 5: ~~: V E J: 5 3 _ACEVE\~~ DUV3 l

                                                      -EA-E9 Symixal List                                                        Figure 18.7.2-2 l

Approved Deslyn n0etemial. Hasen Factors Engineering Page 18.7138

O O O it ! ! i 3 E { E

l - -UNAMB l GUOUS t RED- ' IDENTIFIER l- COLOR CH-E. { h CODE ~N * (249 1) i I !, x _

                                                                 !                                                                                       FUNCTION D     GREEN                                                                             SYMBOL 5     COLOR                        ~                   V                                                                 '
                                                                 ?       CODE                           N ,E N T N TO                             FUNCTION WASTE MGT s C                              s DESCRIPTION CODE
                                                               -                                        N *(3)

WMiggg AUTO x 3, ei). oess NSELECT FUNCTION SWITCH AND LEGEND p g (( QOgE t !

{ l 8

                                                 -             _                                                                                                                    [
                                                                                                         ~ , . - - - -     ,,      . . . , .   .   - -      . - - .   ,   - > , - .   - -

System 80+ Design ControlDocument O This Figure Intentionally Blank O (Deleted] Figure 18.7.2-4 Alim>wnf Desiges Molenia!- Human factus Finphewktir Page 18.7-140

O O O

                                                                                                                                                                                                                                                 !w 1

a 1 a 1 5 3

 ?    s                            P R I t1 A R Y (PRI) Level i                                                                                                                                        133                                              g g    ri                                                                                                                                                                                                                                                o
                                                                                                                                                                                                                                                        +

g h r

~[

f GPM 9 f. h P 1634 ***# Eg L SP 54. 2 -139 b , E ?Y SEAL BLD n

      ;P                                  &                                                      '

_r

                                                                                                         ~
      %    1A i
 ~    f                                                                                                                                                                                                                    .

STN

L 53.8 2 X 186 g .

18 L8H/HR Tc 568 Th 591 SG i "I8 FW RCS Tave 579.8 ,/- 2A Tret 598.6 r , Rx PWR 180.8 13 TURB PWR 190 X W s

              /
    -                                                                                                            L 54.0 X                                             X 19 6                                                g 2B d           d                                                                                                                         L8"'HR si          sne                                                        -

SG 2 _t, ? FW m $= Q OPER P O

      ;i                                                                                                                                                                                                                                                 D

- SEL k n S

! ce 4

         '""                                                                                                                                                                                                                                             PL I

{ U

L CFM PRI SEC PHR ELE AUX DTHR ji' 3

g a

3 n

5 a k h @ 1991 Combustion Enstneerins Inc. 31 OCT 91 10:57:55 3 ,r [ =PRav 7 RCS CON TR O L (PRI) Level 2 p TURB PHR 199 X g Y $ fa 1A ' 74 -S AF E T Y-RC-188E -S D S 74 PZR H/U RATE 'F/HR k m m -S D S 71 'P Rx H/U RATE *F/HR b RC-te8F T 1r D m & 2 P 2231 L 53.6 % RDT RCS Th 615. 9 RCS Tave 599.9 AUX RCS Tret 593.8

                  - CEOS                                                       RCS Tc 565.9

P SP 2235 L SP 54.9 %

l D/P 11 E D/P 19 PR P 9 U 74 > RDT 13 2A

                           -           T 565.9                               T   565.0         ,

SG 1 SG 2 T 565.9 ' d T 615.9 T 615.0 ' f T 565. 8

                             -         T 565.9                      ,        T   565.8     w D/P      2                                                      D/P     2 1                                                    289 l                 D/P 11                                                                   D/P ii

[ 180 3 1A 9 29 D CHG LTDH + $ p SEAL BLD { h OPER SEL Q

g M { t P , o ,' CFil PRI SEC PWR ELE AUX OTHR g a a 4 3 k k O O O

o O O v % E. % y h @ 1991 Combustion Engineer-ins Inc . 3 e

                                                  =                a                                                                                       31 OCT 91       18:58:58     C0 o

{ { PRESSURIZER P R E S S U R E <PRi> te .i 3

k SPRAY UALUES g, SAFETY UALUES

                                                                  }             iA    , ,,,            >";

RC-it9E RC-2Be T 12. k 18

                                                                                                     74                                   -

RC-201 129 k a h RC-190F mm RC-292 CH 295 - 1 : RC-293 T 128 4 IRUST PREStuRE nn '":

                                                                                                                                                               ><               > RDT PZR          RCS 1588-      PANI

t. 53.6 2 8-1699 2589 SET PT 2235 g SP 54.9 X 9-4988 CNTL UALID CNTL UALID 193*i699 A 2232 A 2227 b 139 194* 1689 B 2234 B 2233 1

1$ M 5 .' 199 - - l 195* 1698 C 2238 20 2EE6 ,g 18 6

16 88+ D 2229 PROP 3B E7 ** E GPM m e X 2231 HTRS y 223e 177 Ku 45Eo 9 E g l

T 589 B/U , g l

                                                                  ,3                                                                    HTRS                               SEAL BLB
                                                                                                                                                                                         %a 2

g OPER PI D a SEL ubn {o {- t ),*o*' PRI l CFM SEC PWR ELE AUX OTHR j g i t - .

Syntem CO + Design controlDocument O'

                                      +
                                's lJ tria.$

l*lIh 88 85= , sugenIEEEEEHis 2 iiiiig n ha ii'g*#RW;#EE g a g ? iktt i i c 6 E E 3 j*

                                                      !III M                                                s II               hE  $o E

h

                                                          >                     g             h e  t-  e                 1
                                                                                =

NEE en M, - ~e, E5 5 _=_

f i ( i an- _ 9I! - 5

                                   ==
                                   &b' gf                                       E
          ! F4  3

!4 : ! 8* I E u M M 1<a -

                                                                                ==
                                               '                                3&

l l l Pressuriter Level Diagnostic Page (Level 3) Figure 18,7.3-4 i I

I ApproM Dee4pr MeterW - Manan factors Engsnmbsg Page 18.7-144 1

I System 80+ Design ControlDocument r 555 55555 555

                    '~'.jg; g     ,_.

a g' q<=oa

                                                                ' g 'ggg t             3                                q 8

s' ss su IK g . l D

                  $             i E

h EI 1 5822R255 d:"::: gg 88="~g g O = u ma di. <I" Lr ~ T - L 1 a

            , ,                                                                        w a

gg Lh -

M

8.8888 888 E

                             ,555           -

g<=oa a'4"c - u

                          -   d..

R, > <

                                                                      >g 5:

u g 3 mas 5& RCS/ Vessel Diagnostic Page (Level 3) Figure 18.7.3-5 i

Appe ned Design Adatoriel Numan Factors Engsneering Page 18.7-14S

h y 14 0 k RCS TOWS $ F i = O T g ftCS Teve vat.lo 59e.e

t

E d

k E RCS Teold stC5 Thet A vat. ses.e v4L si5.e CG.D LES 9 COLD LES 2 ftANGE LOOP t LOOP 2 k [~ CALC VAL st5.0 VAL st5.0 l I nmoc us i A us in MS 2A MS 25.

                                                                                                  * 5 *
                                                                                                                     ^ $' *

855 *

I $ cac vu. s.5.s vn. ses.e v m ses.e v m s 5.e e m .o e sm.e l $ 4ss-sis A se5.e a ss5.o a ss5.e a sas.e o si5.e a sis.e j $ e ses.e o ses.e c saste o es5.s ,,,

Se-750 A st5.e A st5.e Se-75e A s.5.e B ss5.0 A ssS.e 8 es5.e 8 el5.e a st5.0 l l P R & 3 i I 4 OPER SEL bi R h an

                               -                                                                                                                 3 GE n                                                                                                                                          '

9 $ i _ ! O O .- . - - O -

System 80+ Des &n Control Document O EEEE - 8g i II lII g

                                                                    < l#

ys=ss e; """g g *g E,a s" itIn. . n8-

                                      !l l             ss NE gi s    b E!s"           irv-       -

g ste8 g,gsi

i " lg. ,

g

1 2 O E Y G - a g 5555 .g

                                      ..               ....           8                            a 88   AA      ngg *i                                                          -

N- h 85 g

                                                                                                   =o
                   'E
                             ,l                        11g;.

g l"i =

                                      'll              sgs            is                      si-in s    -

E! i s gle s gdIwlL it ii- = g ::

                                                                        .J              \

RCP 1 AllB Control Page (Level 2) Figure 18.7.3-7 Anaroveef Deelyn Metend. Nurnen Factors EH Page 18.7147

Syitem 80+ Design ControlDocument i O; t! as

                                      $ @                     e 8
                                               -                                      gag X!C"8                       !                     d W                   Xg                           _,

i -- D E , s -.- .

                                                           .i_      8 g

8,l85 - - a

       !                                                        5 d                     ca                            Xi                                      =

e, #5 s s a n = d- ,. .

                                                               !                                   =

e

MN=

sa C3 58881 g is

I a m a-g Et ,

eg , D Ilag:g d~~6 3 I w I :: SE RCP 1 A Scal / Cooling Diagnostic Page (Level 3) Figure 18.7.3 8

ANwovett Des 4pn neoterial- Human factors Engineering Page 18.7-148

Sy tem 80+ Design ControlDocument O sisse >>> 818eB aaa s Eis B ll I .: 2 - EE E I []E l 1

                                                                      $$ f gg-E$

_ m . se. m E tit

                                                                          ~                                        .

J 5 SEE 2 a 8 %

$ d E: g. ' g -II gh-

,p x

                                                                                                  =
                                                            . d g                 g!l                          $j                                    5 E]hf I                                   =

< t : E td m ' E

                                                                   ~                              w 3558
                               '                                   a       -

a E

o. g f 3 5:

i==s g 1 I 31

                                                                \n C
                                                                  >          a-5                    5:s a

i RCP 1 A Pump, Motor and Oil System Diagnostic Page (Level 3) Figure 18.7.3-9 _ _ _ . _ ,._. _ ~-

    %3E3 g +                                                                   ?$3 pa$l 3k a

e 0 0 0 0 2 2 2 2 T r F 2 r F 1 3 C 0 3 3 I 5 3 3 4 7 4 4

                                                   -           x4RC -
                                                                               *CR  -

P C C R R h Y r

c R

                                   ^
                                   '                           3

8 3 4 4 2 4 4 4 2 s

e 2 H

                                         -        2
                                                   -        %2H     -               -

0. CH R L E E xsH - 0. C 7

0. 7 CH 0. C 7 7 P S O C F F F r 5 s 0 5 xsH - x2H - D C C E E L B J E I A E S P C R R 3 M 5 2 1 T g X U A e 3 e t:2 E. D i -H l C E

il J R H I W X P LH 1l

                                                         %       A E

S C E S e i I W O 0 aI c L 2 I R F* 1 mI w I N T P h I s i iM - 2 r. . 2 P P M H r < W l C

                     =                                                  -                  *o y
     ,n'      !

j! egg E7% S $ C2 5 4' s e

    >jg pg ,[ . [g D                    ?-                                                 {, Y $

6 l : i System 80+ __ Desian controlDocument O l l -- - l l_ I I E E u y E.

                                                                     '           1                            I a l                            l Y
                                                            -            -1.                             -1            5                                                                           :,

i

                                                                                         ! cln ,ii Iu
                                                                   . Id l-i ._                                  o x             o            bc      i _a_

om , J w u # "M 4 1.1.1 j $g6 I E "3 I l

                                                                   '             '                             I
                         >                                  ,z           ___i _A                         __    i    __

J C % o ou I l I i g

([] 3 UE 9 I4 I

15> IBo 6 ! i F# i.g8 IE l *$# 8 s

1. > Es e igN 1

NN lN l 5a a ut

                                     --                                    _              _                                              i I

E I $ $ ! u T e 7 E e. l 1 o l 8 s U* r 1 (- a *- *- I

a. ,

3 - l-l 1 k- I l

                                                                             *'                             7 i N
                                                                                              "             "            'r               I i                                                                                                               l.                        ,                                                          l

! ID a iL sl5 l N e , A I I i

                                                                                                            -i.r i i

g W * **=

                                                               >      I %:e- si          E-Ei!

po-k'9 i l i Pressurizer Pressure and Level Menu Pags for DIAS Figure 18.7.3-11

       ?_ ..:: Dee> A0esenimf

Nuneen facters ::_, :: .i Page 18.7151

mxn 3 =o + Dh= E i i-O I l 0 1 1 3 2 ,3 T r = P

                                                                                ,-   H a         O                                                  S c    =    O         *         .             .

( S L T I l

                                           *          .             .                N O                .

I ,0 R M * . . 2 F L A - E P * . N N A d i I P l M S o r * . . 0 P N o -

                                                                               ,1 T

I 5 * . . O 6 D

5 I L A 75: 50 0

                                                      .I.:j~ .

0

2 5

V 1 0 3 0 6 66 5 F, 5 4 I l O r a c d O I I I 0 M . . -

                                                                               ,2 A                                             -

P - . . . l I N I t M o e . -

                                                                               ,0 1

h - T I 0 - . .

                                                                               ,0 1                  -

D 6 I L : E-A 5 0

                                                    ;;-        : -    E:2 V 7 5               0 n.

e 0 5 0nn 5 2 - 6 6 y6aw 5 5 O Hr [ Hps H!. 2 * ,a ! 3a . 'yC 531=RTt[*[ ,,i r

                                                                                           ;15&0

O O O

r t a t e i e i o. i-5 e : [

                        ;P Thotl                                                                          IT ooldi a

{ car l cnT e i le 610 r - 465 r - ft vetto LOOP 1 l PAMI LOOP 2 T-112 CA l 18 N 2l a g nRNGE 1A g ses-6757 T-112HA T-112HB l T-12 M lT-122Hg % 3-615 7 T-112c4 T-112CC l T-122C5 T-122CC l 1-T-122HC T-112HC T-112HD l T-122HD g T-111CA l T-111CB I I I so-7sov T-111HR lT-111HB l lT-121M T-121 HB l I ca'c="c '"'*'_"_.j__*_'"_'."__ catcutnTeo Loop 17 5, I toor2 T entcutnTro tooP t Te _ _ _ _ _ _ _ _ J _ _ _ _ _ _h __ _________ ; cateutaTro l ncs Tw cateutaTso ncs Tc g-g NPS-PANELFRONTS(SHT12) 9 s a t i t m l 6 $ a I a _

i

a w 1 9 1 1 E E i 1 RCP a

[ a SEAL / BLEED 7CS R . [ E RCP 1A CNTL car RCP 1A SPRAY l car

 !    @-   BLEED FLOW IF-1%                       LINE TEMP IT-103
 $   g MEW
                   .                    gpB MENU        !                     *F 4                   16 700 -

15 I - Pm _ 600 - m 500 - ;,,l,, VESSEL l ll 10 - . l gus 400 - I , [ 'F - j;l re wp pstg _ 300 - , 5 - -

                                                                  ,     ll mt
                            -5,,

200 - 0 l l l ,

                                ,     l                100 -      l       l                  O N-                                   I'          l'
     ?=                O                                50                                  h.
                                                                                             =

NPS-PANELFRONTS (SHT5)

 >    v t

t i z y a D

r _ O _ -- - - .- O O

1 4 1 1 r I f f RCP $ SEAL / BLEED - RCS [- i M [e ; RCP 1A CNTL cat PZR WATER Car [ BLEED FLOW lF-156 TEMP i T-10m g = ft d.[ ap= (J b 3 *F MENU

      ;r 3  lRCP-1A CNTL BLEED FLOW lF-1561                     PAMI                    PZR lRCP-1B CNTL BLEED FLOW [F-166]          lRCS SUBCOOLED MARGIN 'F l       VESSEL lRCP-2A CNTL BLEED FLOWlF-176l           FICS SUBCOOLED MARGIN PSIl lRCP-2B CNTL BLEED FLOWlF-1861           [CET SUSCOOLED MARGIN *F l FEP (VP l SEAL INJ HX INLET TEMP lT-231E l       ICET SUBCOOLED MARGIN PSI l

_ l UP HEAD SUBCOOLED MARGIN *F l [UP HEAD SUBCOOLED MARGIN PSIl b

      -                                                                                     o E                                                                                     $

y h NPS-PANELFRONTS (SHT13) { i a e

 ?                                                                                          8 v                                                                                           a
 .a _

3

T @ a a i :' I ? i l e p 4 lRCSl s I a

     }              PZR WATER                        cRT
     !              TEMP                  i7_,o,3

,I I

     ;P
                    '653              e              ST COOLING 2

lPZR WATER TEW IT-101Al PZR lPZR WATER TEW lT-lOlBl VESSEL IRC-200 SAFETY LINE TEMPlT-lOSl ,

lRC-201 SAFETY LIPE TEF lT-lO71 lRC-202 SAFETY LIPE TErlT-lO8l RCP D/P lRC-203 SAFETY LIFE TErlT-iO91 ANALOG DISPLAY P J. = , C 4 ( E O m., i

o pJ c V U) I I< i a ( e [a 3 i RCS + 5 ! I ! PZR WATER cRr ft TEMP IT-naam i b3 e m l HX VESSEL SEAL PRESS l P-118] PzR lPZR/RX VESSEL VENT PRESSP-13Bl lRX VESSEL LEVEL lRVLMS - RCP D/P l REFUELING LEVEL l b NPS-PANELFRONTS (SHT15) k e ! l 5 e 5 $ 5 _ a

en k ^in 1 Q R

      >                                                     a t                                                         3
  ?   !e                                                    a i                                                         +
  !    E t    x E    r                        [RCSl
  ;   }        PZR WATER                        Car j   i        TEMP                  g_,0,3 m

a uENu 1 g g 653 y sue-COOLING t g PAMI IRC-200 SMETY VALVE POSITK)Nl VESSEL lRC-201 SAFETY VALVE POSITION l ALMS lRC-202 SAFETY VALVE POSITION l lRC-203 SAFETY VALVE POSITION l ANALOG e DISPLAY g 3 a 2 a 0 t 4 a e E E Ia E 1 O -- O - - - - O - _

O O O 4

M 4 1 a 1 1

r x- [ t 5 - RCS 8

5 m 1 i PZR WATER mr l I TEMP lT-101A i 63 s e IRCP-1A D/P PDI-1101 RCP-1A D/P PDI-111 PZR RCP-1A D/P VALIO VESSEL RCP-1B D/P POI-112 RCP-1B D/P POI-113 m , RCP-18 D/P VALID RCP-2A D/P POI-120 - s RCP-2A D/P POI-121 i RCP-2A D/P VALID RCP-28 D/P PDI-122 RCP-28 D/P PDI-123 RCP-28 D/P VALID , 3

m t 2

l ~ 9 5 NPS-PANELFRONTS (SHT17) $ 5 a v s 5 _ k

3o E

      ,                                                                        a 1      ;                                                                        a P      =                                                                        =

o - g. T - + 5 s [ 1 RCP 1A RCP1B 9 [ [ SEAL #3 mr SEAL #3 mT l E d INLET PRESSIP-152 oe. OUTLET TEMPIT-190 oe. [

SEAL l SEAL psig . *F 1 2500 - Puue/ 950 : PuuP/

                                      .TR
                         }                        400 2OOOf             jh              j                j$
                          ~

E 1500 - 300 - NORMAL --E ,, : pstg 1000 200 l E

                         =       l         NORMAL        E
                                ,                 100 -   --

e m OI l 50 5. h

       @                                              NPS-PANELFRONTS (SHT4)    y

?- I E o g

$                                                                               5

s. _

O O O

                                                 .    ~ _

L2 v -

                                                     ,                                                                                                                                                                         4
                                              $      Q                                                                                                                                                                         3 1      5                                                                                                                                                                        l l       E                                                                                                                                                                        %

5 i RCP 1A I a j [ SEAL #2 l car l 8 g : INLET PRESSIP-152 - g ,, 3 s m pelg NG t / ISEAL #1 INLET PRESS IP-1511l ISEAL #2 INLET PRESS lP-1521 mL l l SEAL #3 INLET PRESS P-153 I [ SEAL #3 OUTLET TEMP lT-118] P 2a & a b 9

i ? NPS-PANELFRONTS (SHT7) k 3 d O j h p o t 5 1 l _

O - $= o%ka' "1 [ eo+ O l l l

l r a c . l A E PR uT uM P l O 1 ] ] 1 1 1 2 0 5 7 5 5 1 1 4 1 1

                                              -    7
                                          -        4      -

P T T r S I f l 1 P F P M P S l l A . M E E T M E 1 E 1 T T T 2 R R T E T P E L W E

                   #P L    T          L C

R T 0 N I R U O R O L F T U O LE 0 W . I E E W L L C C AL 3 O O O O E P E EN 1 C P C P C R P C SI l H I H 1 I R a,5 e=ae I l ;

s 5aN~

O .

  *11riytY l Eg tl                                                 $ 52e

               . : .      ,          i          :!          - [   l       l!           l      t'       l!     i'     ! !!
     ?.[ 8 +                                                                                       k1F             ,
                                                                                                    )                     -

9 T H S ( S T N O R F . L . E N A - P S P N l l I T u . n R c e M nm u I i l 1 1 1 1 1 1 1 I l 2 R b 4 4 5 9 2 3 6 .

                              .            1         1        5   9   5    0   5   5 1

5 1 1 1 1 1 1 1 1 P P T T T T 0 T T T _ C I _ Rl R I P M R M R M I 1 I P I P M W S H I 1 E E E E . R , E T T T C T M E T T E G .- 1 1 9 G R T G R G R R U S R B 2 R

                                         .          R         B   B   P        G                                          .

P P i B T L M E N T O R B B L T S . C # T N L N S U R N T R L N U 4 . - R T E R R J R O V N R J W LE O 1 R J H R E R T T T E R J R R R R R / E E U R P D _ AL 3 C W L W L P U T S W F R W P P P P EN 1 R T R T R T R T R T R T L P P U U P . SI W I I M I M I M l M I M P i P I P I n ;l1al! 2~ El i FC6 ._

     ? ,i \ ,[- ( rr t

3 !;D

                      ; '                                                                                 1'     '

I 4 e iii 1 Q !! l s R i e a

      ~                                                                           C T                                                                                +

5 i RCP1A t a E r PP BRG

 }    i                                       mT l

8 2* OIL RSUR LVLlL-107 _ . [

g seat

! e 3.bincses PUMP / lL.O. COOLER T lT-1SB l MTR i i lPP BRG OIL RSVR LVL lL-107l NTR LWR OIL RSVR LVLl L-108l lMTR UPPER OIL RSVR LVLlL-10% l OIL LIFT TK LVL lL-131] l f I P i { y y NPS-PANELFRONTS (SHT10)

 =    x                                                                            e 5                                                                                 8 v                                                                                 a k _                                                                               k 9                 --     -             -

O - - - - - O -

                                                                                                                                                                                                         \J )

h T 4 0 ] i 7 $ 3 f i

  $      Y         TYPE A                          TYPE 5 8

TYPE C TYPE D +

  'I     h                      REGlON                       REGION                                                              REGION                                                          _REOION XX-XXX    **- 8 XX-XXX *8                                                           XX-XXX   ""- 1 XX-XXX                                        *I
                   %-        -*- 2 N      -*- 2                                                      -
                                                                                                                                +2                                                             +2 2                XXXX                            XXXX                                                                XXXX XXXX     **- 3                        *3                                                                    ~3                 XXXX
   $                                                XXXX                                                                XXXX                      XXXX                                         *3 k                 VALVE                 ISOLATION VALVE                                                            POSITIVE            CENTRIFUGAL PUMP 7           MJOULATING OPEN               OPEN, CLOSE                                                     OISPLACEMENT pup                   ON, OFF ON, OFF

't 1 TYPE E TYPE F _ TYPE G REG 1ON REGION REGlON xx-xxxx +i xx-xxx -t LAMP M -2 M -*- 2 TEST

      -                                "*" 3                                                                         -*- 3              LAMP TEST O
        ,s                 AUTO            4                 HEATER BREAKER
                                                              %OSE, OPEN I

c { 2 O

         -             HEATER BREAMER                                                                                                                                                                         g
         .**         CLOSE, OPEN, AUTO
   ;r    w it     &                                                                                                                                                                                                    P 5

Y.

I ' fy El $

            #(                                                                                                                                             %

i s + 5 la PRESSURIZER PRESSURE CONTROL l j [ n h I l PRESSURE l l HEATERS ll SPRAYS l i I E g PZR PRESS SETPOINT f AUTO AUTO AUTO

A

                     .so                                 .           sr

(.j. - Peo e l 2soo-I v^uo i _

g n mwm - Un M

                                                      ~
                                                         ), (

T . 2000 -

PSIA - l _ l l I so.ox I I so.ox I

l l N MATER l l SPRAY l

                      -EO V

o 3 p 1500 l P-1 l { ; e 1 CLEAR l l/f-gM t v l i = o ' R E l l

I .

9

O O O p <4 u il r( f 1 [g [ I [ a

' [ 5 PRESSURIZER PRESSURE CONTROLI n

i ! I PRESSURE l [ HEATERS ll SPRAYS l l g a p2n eness som. sounes g

4 f 8 +so AUTO AUTO AUTO

                     $           1                                m           m i

! E - IIPJB PSIA 8957 PEIA i SM: eso m i - - nns-s.p.I p _ i l - l so.ox l t s0.07. l

                                  ~
                                                                  ,,                        H ATERl           l SPRAY l
                                -Eo l                     3                                                                      l  P-l   l                           '
                     ]                                          l    ctsan      i           V7-#/1

) .E E l I $ ! C .,

Ig T. i.S o &

, e t w o

\

l ! !a PRESSURIZER PRESSURE CONTROL l l ' [ 9 PRESSURE l l HEATERS ll SPRAYS l a 3 , ( [ HEATERS OUTPUT k i AUTO AUTO AUTO 1 VodXVI I 50.0%

        $      +50
                ~
                                        )AANUALl     ] OUTPUT

[ 4 -

                            = =I VALID l p       _

ii sss: i== =I

                                                         /\ue y                                      ~

g lRRS-S.P.l s0-x. ( l 50.0%

                  ~
                                                -          N                         l SPRAY
                                                         \/

_go - O-l P-l l 2 l CLEAR V/-//] f

         " .                                                                                             9 0                                                                                               4

{ h 00 Q a _ 1 O O O

O O O s - % 1 t il 2 [ .

                                  }y                                                PRESSURIZER PRESSURE CONTROL l
                                                                                                                                                                                 +

I fn l PRESSURE l l HEATERS ll SPRAYS l l 1 I SPRAY OUTPUT h ( AUTO l so.ox i AUTO AUTO il +50 AL UTPUTl

K -

l N 'i - _ h00 P94 l vauo l w_

                                                                                           ~
                                                                                                     ~                                                                               t 2

AUP i 1 - n 21:!:! DeO es4 " 1 lMS-S.P.l

g. so- <l -

X - I so.ox I MES l

                                                                                           -            DN                                   l HEATER l                  [l$$4 V
                                                               -iso O-           -

y l P-1 l y l CLEAR l Vf-//]

                                                                                                                         -                                                        p

. - =

C "

Y e y 5 8 -

f t i1 a 5 r a . . t :r +

   !        E                      l PRESSURIZER PRESSURE CONTROL l v        a E        S 1

l PRESSURE HEATERS ll SPRAYS l

            =                        PROPORTIONAL HEATERS i        7             AUTO P-I        P-2 AUTO           AUTO
          }

E *** Ze- Jo-

   ,        if    _     5000 PSid 1       -     I vauo i

[= - GM tema esi4 lCLOSEllCLOSEl l _ IRRS-S.P.l p TRIP l TRIP g - I so.ox I I so.ox i E ~ IHEATERl l SPRAY l

                -Eo E

k3 l CLEAR l T s; 9

y U k i s P s l E o _ i

o . e . e -.

im fs

I r a I.

   }      {*                                         l PRESSURIZER PRESSURE CONTROL l k                  l   PRESSURE                l                                        l     FEATERS !l            ' SPRAYS           l

[ 8 i [ SPRAY VALVES y AUTO AUTO AUTO I 1. RC-lOOE RC-100F leso Psia l l VAllO l ss.:leso Psial

           $                    l RRS-SP. l CLOSE               CLOSE
                        ~
                        ~

l 50.0% l l 50.0% l . MATER l l SPRAY l

                      -s0 VJ/A                                      y j                                                 i  ctE^n             I                  l P-2 l                                   g-
           $                                                                                                                                  2 O                                                                                                                                  t i-      a                                                                                                                                  e n

Y h c : .

4 s - to ! l l E I n {r I ia n l SEAL INJECTION CONTROL l 8

1 lt 1 ! l ii. l lNJ TEMP l 'l INJ FLOW l E - 3 TEMP OUTPUT DEMAND 2B , I ' f g

                       ]                      AUTO
                                                                                       ,       7 AUTO l5 GPMl lRCP4 l g      +so                                           AL        BOUTPUTl   +3
                                 $                                                                           8.0 GPM            l 7 GPM l 1                  l 126 *F l l T-23 l

[ F-56 - l RCP-B l l i AUP

                                  ~
                                                                          ~                          ~

i :X::

                                  ~                                       ~

I n .*09 l e6 'F l ! C C [ g g,p, g [ S.P. l lRCP-2Al so - ( i

it - -

i - y, - i - - - l 8 GPM I

                                  ~                                        -                 N               l 48.0% l           lRCP-2Bl
                                            %.T.Q3                         ~
                                -50         7[gGQ
                                            -                                                     -3         lOUTPUTI o_                  -

l CLEAR R { t { $ E 1 t i M -

e e e

i k w en 1 E. E l i i 9 E a l 1 Y 8

~ [ t [ H. l SEAL INJECTION CONTROL l i g l INJ TEMP l l INJ FLOW l 4 s

;                               I                                                                         TEMP SETPOINT                2B                                                                RCP F

i I l ^uTo AuT is seul y 7 ,, ,p , l RCP-ir l r .so

6,M +a i n }> - lize r l l T-za l

                                                                                                            ,o _

e.o GPu

                                                                                                                                               . r-e6 I7ePul l RCP-IB l 3                              '

l '

                                                                'I'2'I'2 N                                           ' '(

AUP -

                                                                                                                                            'a G    l                                     16 GPMl i                                i                         c                                                                           C KapQq ioo-l l l       S.P. l                                     lRCP-2A]

l l _ x- l l _ l l - 1eePul I so.ox I l l

                                                                                                                              "                l 48.ox I                                            IRCP-2Bl V
                                                                                                                                       -a
                                                          -so                  louTPuTI                              l l                       louTPUT]

sc - ' N I CLEAR ] s a i 1 N Y g i: Y l b _ l- .

4 I

  }       !                                                                                                         l i      E                                                                                                          l t       h                                                                                                         %

5 @ SEAL INJECTION CONTROL l I a INJ FLOW I ( INJ TEMP l P RCP

          $                            IA FLOW SETPOINT IA r                 AUTO                                           AUTO i  $      1a                                          IMD d p
          >   +50 l  S.P. l  +3 S.O GPM lg     -

l 128 *F l l T-23 l g_ q F-153 l 7 GPM l l RCP-B l C C

                 ,    l           S.P.

Geu - M lRCP-2Al 1 s-l

                 ~                              ~

ls GPu l l 50.0% - l 88.0% l lRCP-2B

                                                ~
              -50       l OUTPUT                                -3    l OUTPUT l O          -                                       -

o 3 WORST R T

         ]a                                       CLEAR                                            _

DEV. F

            .                                                                                                        a l
  -

P a

a: u _ 1 1 O - - - - - - - -- O O

! O O O .l

            $                  I                                                                                                                                                                     i 1

f Iy E n

8

1 l SEAL INJECTION CONTROL l I it i I l lNJ TEMP l l lNJ FLOW- l 1 l 7 RCP-l j' IA FLOW OUTPUT DEMAto IA _ l

              !                                                                                                                               MANUAL,                       l6 GPMl 1                      Auto I auto l I eaox l e                                                                                                                                                               l RCP-!A l l                                  E       +so
                                                                                    >cyMt1            lDUTPUTl                    +3
            #                     I                                                                                                           S.0 GPM l                                                     l 126 *F                             _

l 7 GPM l l T-23 _ F-Se IRCP-el p . 6 m l 36 *F l c up l80 GPMl l 6 GPM l l_sp._] so - l SP. l lRCP-2Al l l8GPMl-N l so.ox l lRCP-2B] l

                                          -so        louieUTI V                        -
                                                                                                                                  -a o-               -

E 5 l CLEAR R 9

                                  -                                                                                                                                                                    F, a                                                                                                                                                                                         E ta                                                                                                                                                                                        i
                               -                                                                                                                                                                     4 1

1 n m 1, i s a u

 .I.        C                                                                                                                                                           C5

% ' ?

I t

ilo

! g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . g z PZR :: PZR :: PZR RCS : - l

 ,          E                      : PRESS::

LEVEL.:.: SFTY :: TEMP : - HI HI l [ p i HI !! ii ;i ! I ii ::::::::::::"""" " :::::::::::: """""- l if ; PZR i PZR iPRESSi

PRESS: LEVEL : LO :

LOW : LOW :T2/L2:

RCS , :RC VSL.: RCS - -

VENT / :

yAL ::: LOOP : OPER :: SEAL : : ::T DEV: :: ESTB :- l ^bs" CLEAR PZR LEVEL LOW e a a-S = i 2 p a = m I 3 - 1 k N E

  ~       -
                                                                                                                                                                         ~

O O -- - O_ - - - - -

m U

1 ,n , t

a. 3 F =

E o t +

a 3. i.* >

                                                                                                  . RCP IA : : RCP IB : :RCP 2A.:.:.RCP 28.:                                                                                                                                            :

I a e :PP/MTR:

PP/MTR: :PP/MTR: :PP/MTR:

CNTL - R-ar :............: :............: :............: :............: : BLD : s .

                                                                                                  .: RCP IA .: : RCP IB : :RCP 2A: :RCP 28:                                    .      ..                                                     . .          .   .                         .

CLG : : CLG :: CLG : : CLG : :

SEAL : INJ :

RCP IA .: : RCP IB : :RCP 2A.: .:RCP 28: .. .

TEMP :

SEAL : :

SEAL :: SEAL : : SEAL : : SEAL .

                                                                                                  . RCP IA .: .: RCP IB .: :RCP 2 A.: :.RCP 28:

INJ :

OIL : : OIL :: OIL : : OIL :

FLOW ALARM CLEAR b

LIST g 21 n &= C S

s -

                       $,                                                                                                                                                                                                                                                                         O a't'                                                                                                                                                                                                                             a i:                                                                                                                                                                                                                                                                        E v

a

{ T - u

  .       n                                                                                   B i      y=                                                                                   3 F                     TIME SEQUENTIAL ALARM LIST                                            %

i i + t P

DESCRIPTION SET POINT VALUE TIME

          > TITLE XXXXX      /XXXXX  f5:14:20

h LTDN HDR @ ION EXCH INLET TEMP HI M1 RCS TEMP HIGN g RCS Thot Hi XXXXX /XXXXX 15:14:21 E RCS Tcold H1 XXXXX /XXXXX 15:84:22 k

XXXXX /XXXXX t5:14:23 PZR LEVEL / RELIEF @ PZR LEVEL ERROR LOW XXXXX /XXXXX 15:14:24

                               @ PZR SAFETY TO ROT TEMP HI RCS VAL                                        XXXXX       /XXXXX 15:14:25

[3] PZR LEVEL SENSOR DEV XXXXX /XXXXX 15:14:2 6 LTDN HDR @ LTDN HX INLET TEMP HI XXXXX /XXXXX 15:14:27

                                @ HIGH LETDOWN PRESSURE VCT PRESS / TEMP                               XXXXX       /XXXXX  15:14:28
                                @ VCT PRESSURE HIGH XXXXX      /XXXXX  15:14r29
                                @ VCT TEMP HIGH l END OF ALARMS l P

if " YEL CLR h s ,

4 p3h CFM PRI SEC PWR ELE AUX OT b s 5 k 9 - 9 e

System 80+ Deslan ControlDocumart . (3 N !

                                                  ',i                                 ;aj D    -

E l i' . ca

                                                                                    ' Dil g

lg . . l v ' all g T Q H l [ $j

                                                                                      .Cd 4-(                    )

s Q y Q G 5 5 N ' r E o LI-v a = l l s r t > g n

j. s ij [ ;j j'Ea y)

J

                           ;             y            ij.                    E va    no T          *              *
                                            ?,        Il                     7 U iiC %

i 1 I e i f) v RCS Panet/ Layout Figure 18.7.3-39 I An"*wd W Mosenial Nwnen Fectors Enskmerkw rape 18.7 179 l l

Sy tem 80+ Des [gn ControlDocument O; 2 ALARM TILE WODULE O O DISCRETE INDICATOR CRT DISCRETE INDICATOR I i si i DISCRETE DISCRETE INDICATOR INDICATOR PZR LYL CNTl.1 FT:448;;3W7884 O l EFFLUENT l CONTROLLER COMPONENT CONTROLS CVCS COMPONENT CbNTROLS i CVCS Panet Layout Figure 18.7.4-1 Approwd Deep Metersin! Nwnen factors Engineethg tage 18.7180

i Systens 80+' oeska contmlDocument ; I O I I 5 II" : g m b I :- u , I ku ' [ :, 4 i 1 l i ' i b u I

n

~ i S s n. N I- ;

w a

. b i (1u 5p 8 u a.

                                                                             ,         a 57          8               --

Plant Monitoring and Control Panel Layout Figure 18.7,4-2 , L- ::Deeton neeneriot Nwnen receers Engmeerbw page pg.7.pgp

l System 80+ Deskn ControlDocument l O 1 I i

IFEE0snTER NO CO@EN!inTEI ALARMS ALARMS DIAS DIAS 3 CRT 1 DIAS DIAS FEEDWATER STEAM STEAM TRAIN GENERATOR GEIERATOR CONTROLLER 1 2 FEEDWATER AND CONDENSATE 1 RAIN

Feedwater and Condensate Panel Layout Figure 18.7,4-3 Approwd Design Metwiel hman Factors EngMing Page 18.7182

                .   -                         . . . =         -    - . . _       .-  . - .     -.              .--   . - . . - - . - .

System 80+ Desier controlDocument , i 4 4

 'f RLRRM                                          RLRRM T3LE                                           TILE MODULE                                          MODULE 4

0 s 1 CRT TURSINE TURSINE DISCRETE L15 CRETE INDICRTOR INC!CRTOR 1 8 d 4 TURBINE TURSINE INSERT SUPPORT CoroIENT CONTROLS l I l l TwWae Control Panet Layout Figure 18.7.4-4 [ i l

N0MB m".,- -. - , pny gg,y,gg3

1

h y on 5 k * { "h SAFETY MONITOTING PANEL [ I e E

t

5 ALARMS ALARMS ALARMS ALARMS

  -   h                               CRT 2

k E DIAS-P DIAS-P ESF RADIATION k, j A B _ STATUS MONITOR I CCS CCS CCS CCS CCS A B X C D CPC CPC CCS CPC CPC l A B Y C D T T DIVERSE MANUALI PPS PPS ESF ACTUATION pps ppg A B SWITCHES C D j e 3 2 T 3 t h s ESF MODULES AND REACTOR V E {e y TRIP y

 >                                                                           3 5  _

k O O - - O - .

O O O { T ?

                 ?        k T        se                              ENGINEERED SAFETY FEATURES                                            %

5 I

                          %                            DIAS                              DIAS

[ E DIAS ALARM ALARM DIAS g g CRT I 7 l' i E E a SAFETY CAVITY DEPRESS- FLOOD EMERGENCY URIZATION SHUTDOWN FEEDWATER/ : COOLING ATMOSPHERE DUMP SAFETY WST INJECTION CONTAINWENT SPRAY CONTAINMENT p m ISOLATION 5

                          "                                                                                                      I i                                                                                                      2 s                                                                                                      g

! ( I e 8 5 v 3 5 _ 1

System 80+ Design CarstrolDocument O COOLING VATER ALARM UHS TILES DIAS CRT CCVS SSVS DIAS DIAS CCVS SSVS/ UHS FUNCTIONAL FUNCTIONAL AREA AREA Cooling Water Panel Layout Hgure 18.7.4-7 knwend Design Metaria! Human Factors Engineema Pope 18.7-186

     ! i go+                                            Oh=@e$aE1 O                          f S

E I S S ER A A IA I I T S3 D D S RL E U! T Txu _ E A I N . S R - S U . E T "S L A I TNM N II DC N LI AT D ORAE OA NCMT S CV _ . D T

 .                                oM N          XM          Cm E                _

E L aE tT UE AT MT TS C sS S X Y E C . Y R T R _ A R E D C T N A O W

.O         C E

S D E E F E S S S T S A "E lI L I A S N AT D E - D N M O - A C - E _ T S - S S A I A I D D l 1 O ie g i {2'rk8~ :gb l: 't I E1E{ 3k i aIe

PE n8I $* a, 1=3 @ + O S E a CP r NO o YC SS 2 RS LOL ETO SAR ERT S IEN M S DNO EC R A a i G L D A S L O R T N N O O I E C . T CP N U NO S O B YC I I SS CO L T R AR U T D S ET 1 I T TN R D R AO T L C NC S A RE I C I R T E C T LR AO U D t. f E W O C S O E P L Y E _ R A I l L 1 E X CP U S NO A M S YC R A a SS 1 r o RS L A LOL ETO SAR ERT IEN DNO EC G S S A I n r D o 1 1 t Ml22 i 2g( F;!. E! ! 2i s4 ,e 9 l g.ki33 ?I ; r1 E a= w-

k4 g+ it ' i t _ a N M _ R S - A I S - D L . O . R . T . N - O C . D R A YR Y - D RSO R H R EO nTTA TO C O IRRD A T Y N I _ H T NEEE C OS W S R A RNEPV C C IG T I W S S L S O

             =     A I

D 2R HT N S A I D RN

             =                 O               OOS C               T IL TO AAR R TT i

EIN NCO

                       -       S           E   EXC XL          CP    GE

. UO NO - AR YC NT SS EN GOC i . \ 1

  *g. &    ((                                     25;b t          ,        1ID                                    k a53

System 80+ Design ControlDocument O M5 E.E 5 DP W p 5 5 !g J $- WE$ p 5 p$ Edp 5

                                         >           55              55>

u > 8 E

                                      !'ddG Z

E W C

                                                              .YP W

EB$ BB J . W ep W E$ MWE 2

            'd        -                   5 WEp          3IW 5

i ~55 m_ E' 6-h W p Z W m 5

                .         5 d                               5               %

Exp "

                                             ) d P-b 6"

g 5

                                                >               5 U

5 O

lienting and Ventilation Panel Layout E

gg Deep Materia! Humore factors E@ Page 18.7-190

_ _ _ _ _ = . _ _ _ - _ _ _ . . .. . _ . . - _ . _ . . _ . _ . _ . . _ _ . _ _ . . . . . _ . _ _ ___ . . . . _ . . _ ^ System 80+ Deckn contrat Document O _. I 1 1 X t Ng a , q s Ig us es g >- o j Z l l . l l 5 i P ! M

o E u g ! O E l E W l 1 u . bk! K . bW

                                                                                         -!    w g                       EO g                              be l

ld E 5 >. W Wda! E* E 5* 05 "E w E E! [j E5 cg Iy E go-

-1.

i l l Mn Pmtection Panel Layout Mgure 18.7,4-12 Annremtineko neem Nunen fusers Engpineerm9 Page 18.7-191

m-Syatem 80+ Design ControlDocument m

                                                                                .J O

9 tn Z O U U1

==

U

              \                                       %

E

W W

M Z e Q. O O

                                                   -                        E s-

a>

1 CRS Comole Layout Figure 18.7.413 Sheet 1 of 2 Approved &s# Meraniet . Human Factors Engkwerksg Page 18.7-192

System 80+ Deskn ControlDocument l') U w J O in Z O O O e E (A 7 N j 3: w I 5 d s O W Z

                                     ~~~
                               /

9 e C (y) CRS Coswole Layout Figure 18.7,413 Sheet 2 of 2

       ** h4Pi meeww . m ,, p% ,_.--       __
                                          ..,,                           !*ee re.r.sss

Sy3 tem 80+ Design ControlDocument O D'~~ l i I \ l I

l I

                             /~~~                                                   !

I l l l ! l

                =y                                 _

l 1 1 I i l I ' I , 5 B! 9 b 1 l ' 1 I I I i

y,-

                              \
                               \
                                \
                                  \     "'
                   ,,,L CRS Desk Layout                                      Figure 18.7.4-14 Sheet 1 of 2 Asqurowd Design Motorie!. Human Factors Enpheemg                        Page 18.7194

Svetent 80+ Desian contrar ocewnent 4 1 4 i i 4 l r l 1 I i 4 i I i 4 ! + I l i CRS Desk Layout Figuur 18.7.4-14 Sheet 2 of 2 1 Aqprocesf Deste 48eesadsf- Masese Formers Engdmosnha Aspe 78.7-f M j 1 J I

_ _ _ - _. . _ - _ __ . _ _ _ _ .~ . _ _ _ _ ___ _ ___

                                                                                                                                    .t System 80+                                                                          oenen cenaror oceanent         )

18.8 Control & Monitoring Outside the Main Control Roosu . 18.8.1 Remote Shutdown Panel . , 18.8.1.1' Design Descdption , - t 7he Remote Shutdown Panel (RSP) is designed to provide an' alternate control station which can be used to shutdown the plant in the unlikely event that the main control room becomes uninhabitable. ((Suficient- j sqfety grade instrumentation and controls are provided to perform thefollowing operations: ; 4 e Achieve pronpt hot shutdown of the reactor, subsequently referred to as hot standbyper standard

tedmical speciffcations (reactor subcritical at operating pressure and tenverature).

I

Maintain the unit in a sqfe condition during hot standby. ;

e ' Achieve and maintain cold shutdown of the reactorfrom the RSP. ; n : Dansage to equipment in the control room does not preclude operation of any required equipment at the , i RSP and a singlefailure in an active safety train does not preclude a safe plant shutdown from being l acconplished.}} j l 1 The Nuplex 80+ design provides switches near each MCR exit for transfer of control from the MCR to ,

               ' the RSR. See Section 7.4.1.1.10 for additional detail on transfer of control.                                      ~!

c The RSP design is based on the stanclard Nuplex 80+ indication and control math ~talogies, disme-d in Section 18.7.1. It applies, the human factor design criteria described in Section 18.7.2, in a manner .

               - consistent with the RCS panel design (Section 18.7.3). Although it implements many of the same features              ,

as incorporated in the RCS panel, some specific features address' the RSP's unique function and its' ., qualification as a safety system. .

.     (-         The Nuplex 80+ remote shutdown panel includes all divisions of safe shutdown controls (as indicated in Table 7.4-1 of Section 7.4.2.5), each isolated from the main control panels. Sufficientm' formation              ;

is provided for each safe shutdown system to maintam hot standby. The man-machine interface for this i

                ' instrumentation is consistent with the main control room. The Nuplex 80+ RSP also provides indication
               ~ and control for the normal control system used for maintaining hot standby. The RSP instrumentation                  j
                                                     ~

provides centralized controls and indications necessary for achieving cold shutdown. Sufficient l cn====lcations and indications exist to achieve and maintain cold shutdown using suitable procedures and local control stations. The indication and control at the Nuplex 80+ RSP are physically separated : and electrically isolated from the Nuplex 80+ main control room.

               ' The RSP provides controls for plant shutdown operations using either normal systems or safe shutdown                 :

systems. The safety grade controls required for achieving and maintaining hot shutdown are identical ; to those used in the main control room. ' Also, control of normal process control systems that provide i significant benefit to operator convenience in achieving and maintaining hot standby are identical to those ; in the main control room. i O

' '               8 i NRC Staff approval is requhed prior to implemenung a change in this information: See DCD Introduction Section 3.5.

Approwest Deep, assenger- seamen eeesere anem ,ev ease vs.s-r l i

System 80+ Design contro,'occument Control of other safety systems and normal components are performed at the RSP using a Component Control System (CCS) operator's module or a Plant Protection System (PPS) operator's module. One CCS operator's module is provided for each safety channel and for each normal control channel. Also, one PPS operator's module is provided for each safety channel. These CCS and PPS operator's modules are the same as those located on the Safety Monitoring Panel and described in Section 18.7.4.5. Section 7.4.2.5, Table 7.41 lists the controls and instrumentation to be provided on the RSP. 18.8.1.2 Functiontf urouping and Panel Layout The RSP design applies the . e criteria for human engineering and for information display and control allocation as used for the main control room. It is a sitdown panel similar to the MCC in the main control room (see Figure 18.6.5-11) with a hierarchy of alarms, indications and controls consistent with that used at the master control console. The instrumentation and controls are grouped according to their functional roles supporting the operations to be performed at the RSP, with a similar left to right orientation as the MCC. Figure 18.8-1 typifies the panel configuration. A central panel is flanked by two wings. The left wing provides controls and indications for the primary systems controlling RCS inventory and pressure and PPS operator's modules. The significant normal controls are inboard on the panel, while the associated safety system controls are located farther out on the left. The right wing provides controls and indications for the secondary systems controlling RCS heat removal. The normal controls for feedwater flow and steam release are inboard on the panel. The safety system controls for emergency teedwater, main steam isolation and atmospheric dump valves are located farther out on the right. Alarm tiles are provided in the upper section of each wing, consistent with the master control console design. Alarm tiles are provided for significant alarms related to operations to be performed on the RSP. These are discussed in Section 18.8.1.4. Other alarms are provided through the DPS VDU using the Data Processing System in the same manner as in the main control room. The central panel contains the DPS VDU and ESF-CCS operator's modules which are used to augment the dedicated indication and controls on each wing panel. One operator's module is provided for each of the four ESF-CCS safety channels. They access the component control system for safety grace controls not included in the dedicated controls. An additional operator's module is available for each of the two normal control channels. Reactor trip push buttons are also provided on this panel. These provide access to the component control system for all normal controls. The operator's modules provide displays and system controls in the same format as the operator's modules provided in the main control room at the Engineered Safety Features panel. The DPS VDU provides the same display system as available in the main control room. 18.8.1.3 Additional Features Specific to the RSP The lower section of the center panel provides an open area for spreading procedure documents. It also provid , a phone for communication to operators located at local component control stations. Approw'r iDesign Motsriel* & men factors Engineering page gg.g.g

System 80+ oesty, control Document i 18.8.1.4 Dedicated Alarm Tiles on the RSP The dedicated alarm tiles selected for the RSP arc a subset of those used in the main control room. I Alarms are selected only if they are pertinent to carrying out the operations for which the RSP is designed. Specifically, these are operations associated with achieving and maintaining hot standby or cold shutdown, with the assumption that a reactor trip is performed prior to control room evacuation. The RSP alarm requirements will be identified as pan of the Functional Task Analysis and detailed panel design. , i i h d d O

       * . ..:: Dee> nennene!- Numan Fectors :;,  .2;                                                 page gg.g 3

System 80+ Design ControlDocument O 3/ es p2- j [C f t! 16 2 1E te es x N a :: 11 1

                           !t          8 5                       "
                            !"                             aron, S'      -       4 w             f',     A                    -

R k gl nn gis U

                               ]b.                  fi            yN I             II O!!                   g3 t 3        EE                 a e

ib! E5 E5

 *Ote Shutdon' l'anel Layom                                                     EW 18.s.;

O Appreewd Design Moserial- Human factors Engmeerks Page 18.8-4

System 80+ Design ControlDocument (n) w/ 18.9 Verification and Validation The verification and validation of the Nuplex 80+ human system interface demonstrates operator task performance capabilities and the capabilities to perform operator functions in the control room. All Nuplex 80+ verification and validation activities are performed under the conditions specified in the Human Factors Engineering Verification and Validation Plan (Section 18.4, Reference 3). The Human Factors Engineering (HFE) Verification and Validation Plan for Nuplex 80+ describes how the HFE verification and validation is managed, administered, and perfonned. Additionally, the verification and validation analysis criteria, methodology, required resources (e.g. Emergency Operations Guidelines, normal and abnormal operating sequences, I&C design requirements, HSI hardware, etc.), schedule for activities, and milestones are provided. Specifically, the HFE Verification and Validation Plan meets the design process requirements and criteria for availability verification, suitability verification, and validation of the ensemble as defined in Sections A-3.6, A-3.7, and A-3.8 of the HFE i Program Plan (Section 18.4, Reference 4). The HFE V&V Plan applies to all Human System Interface (HSI) and workspace environment in the , Main Control Room (MCR), Remote Shutdown Room (RSR) and those control stations specified in the Emergency Operations Guidelines (EOG). There are three distinct types of verification and validation activities: 1) Availability Verification,2) Suitability Verification, and 3) Validation. /3 18.9.1 Availability Verification U Availability verification takes part in two phases, Phase 1 (availability analysis) and Phase 2 (availability inspection). The purpose of Phase 1 (Availability Analysis) is to assure the following:

1. System I&C Inventory meet the following requirements:

            -        Information & Control Requirements (ICR) as specified in the Functional Task Analysis,
            -        Federally mandated indication and control requirements and, Fixed position MCR HS! is provided for credited safety function success path tasks identified in the Probabilistic Risk Assessment (PRA) and EOG.

2. Unresolved HFE TOI database issues are reviewed to identify any additional issues that should be considered during availability analysis.

After assuring the above requirements are met in the System I&C Inventory, a checklist (to be used during Phase 2 Inspection of the as-designed HSI) of System I&C Requirements applicable to the MCR, RSR, and local control stations specified in the EPG is developed. The pupose of Phase 2 (Availability Inspectio.i) is to compare the as-designed HS1 to the availability checklist produced by the Phase I analysis, this includes: (b' 4presed Des (pn acaterief Human factors Engneering Pege 18.9-1

System 80+ oesign controlDocument

1. verifying and documenting that all System I&C Inventory identified on the Availability checklist are available in the HSI design;

2. identifying candidate HSI indications or controls for removal.

18.9.2 Suitability Vedfication Suitability verification addresses the issue of whether the form and arrangement of HSI indications and controls supports operator task accomplishment. It roughly spans the gap between the questions of *is the needed information, and only the needed information, present?' (Availability) and "does the design, in terms of actual op:rators, using the full control room, the actual procedures, the real plant dynamics, etc. actually work together as a whole?" (Validation). Suitability therefore overlaps somewhat with both these areas of evaluative effort. The suitability verification is performed in two phases, each of which uses a different approach. Phase 1, (Suitability Analysis) uses a top-down approach, and Phase 2 (Suitability inspection) uses a bottom-up approach. Phase 1 (Suitability Analysis) attempts to evaluate the appropriateness of the design selections in the context of the big picture using a " top-down" approach. This view considers the overall system design, the nature of real-world operator tasks, and the integration of the parts of the man-machine interface into a coherent and easily used whole. Phase 2 (Suitability inspection) uses the control station design review guidelines found in the Human Factors Engineering Standards, Guidelines, and Bases for System 80+ as a set of accepted and established criteria. These criteria are particularly useful for identifying individual item discrepancies, such as inadequate letter sizes or lighting levels. 18.9.3 Validation 18.9.3.1 Design Validation The purpose of design validation is to ensure that the sum of the various HSI features afforded by the MCR, RSR, and any local control stations specified in the EPG provides a usable HSI ensemble that supports the successful accomplishment of the operator's required tasks. Design validation will .>e conducted using a facility that physically represents the MCR configuration and dynamically represents the operating characteristics and responses of the System 80+ design. Design validation includes operator interaction witn the ensemble and EPG or operating sequences to meet the following objectives:

Validate ability to execute operator tasks required by procedure guidance.
Validate the MCR configuration staffing assumptions and confirm the Task Analysis results; e Validate time response for credited operator actions based on the safety analysis;
Validate the allocation of functions and suppon for operating crew situational awareness;
Validate operator communication and team interaction;
Validate operation with HSI and I&C equipment failures;
Validate ability of the operator to use the alarm system effectively.

Alveoved Design Meteriel . Human factors Engineerusg Page 18.9-2

      - - .                .-                .    - - . -                - -..~._- - -. - - -              . - - .. - - -.- -

Design Coneas Document

Sur.-- 80+

Each of the plant accident, abnormal, normal, and HSI and I&C equipment failure operating sequences l will be performed on a facility that physically represents the MCR configuration and dynamically 4 represents the operating characteristics and responses of the System 80+ design. The design validation team will be debriefed after each scenario to identify and define discrepancies. l These discrepancies will be documented. The design validation activities will be conducted until the - completed control complex is validated. l . i s ) 18.9.3.2 . Operating Ensenable Validation Plan HInformation concerning the site operator's operating ensemble validation is within the site operator's l - scope and shall be provided in the site-specific SAR.]f ! 1 An operating ensemble validation plan shall be deteloped to guide validation activities that will demonstrate acembility of the completed operatirg ensemble (i.e. , man-machine interface, plant-specific l procedur:s, and operating staff). This will provide assurance mat trained operators using "fmal" plant-specific procedures in the as-built control room, together form an effective operating ensemble. Completion of the operating ensemble validation will satisfy all requirements on the main control room j and remote shutdown room validation, l

The operating ensemble validation plan shall specify the scope of procedures and validation scenarios to <

be used. As a minimum the operating ensemble validation shall exercise the " final" version of all plant-specific procedures developed to meet the requirements of Section 13.5.1.1 (note that the procedures i validation of Section 13.5.1 may be performed in conjunction with this activity). In addition, operating O l tasks for plant-specific equipment that is different from the certified design shall be performed using appropriate scenarios and applicable procedures. l The operating ensemble validation plan shall specify the validation methodology including required validation team personnel, required facilities and resources, detailed operating scenarios which incorporate all critical tasks identified in the Task Analysis from the PRA, performance measures, and data collection and analysis methodology. The facilities shall physically represent the MCR and RSR configurations and dynamically represent the operating characteristics and responses of the System 80+ design.

                 '!he operating ensemble validation plan shall specify the acceptance criteria to be used during the validation. This will include relevant acceptance criteria from the Nuplex 80 + design validation provided through the Operating Support Information Plan and scenario-specific objective criteria.                                 l The operating ensemble validation plan shall specify the schedule and milestones of the validation activities.

The operating ensemble validation plan shall require administrative procedures to govern validation activities including reporting and resolution of findings. '/ ( 2 COL infonnation hem; see DCD latoduction Section 3.2. ,

Anwoodsono"annaw wuawe san meew e noe rs.e2 -

i

            -- .                     -- -.            -- - . - - , , .                        , -  ~_                         . -    z.   >

i Syseem 80 + Desion contrer Doewnerrt

18,10 Docionents Used in Licensing Review The following documents were used by NRC staff in addition to chapter subsection references to complete y g the' safety evaluation review.

1. LD-92 076, " System 80+ Shutdown Risk Report, Revision 1," attached " System 80+ Shutdown l Risk Evaluation Report" (DCTR 10, Draft, June 15,1992), the applicant letter dated June 16, ;

a 1992. ; i 2. LD-92-115. " Closure of System 80+ Draft Safety Evaluation Report Issues," attached response to DSER Issue No. 20.2-28, the applicant letter dated November 24,1992. [ t

3. LD-92-120, " Closure of System 804 Draft Safety Evaluation Report Issues," Attachment (untitled), Response to DSER Issue Nos. 20.2-23 and 20.2-29, the applicant letter dated t D=' der 18,1992.

)j '4. LD-93-135, " System 80+ Information for Issue Closure," Attachment 1, "ABB-CE Response to System 80 Operating Experience Issues Based Upon Interviews with System 80 Operators," the , applicant letter dated September 1,1993. ; i 5. LD-93-140, " System 80+ Information for Issue Closure," Attachment 5, "SSAR-DC Markups for VAV and Procedures," the applicant letter dated September 24,1993. . 6. LD-92-102, " System 80+ Human Factors Documentation Submittal", Attachment 1, "Nuplex i 80+ Advanced Control Complex Design Bases" (NPX80-IC-790-01, Rev. 00, January 15,1990);

                       " System 80+ Human Factors Documentation Submittal," Attachment 2, "Nuplex 80+

Compliance with NUREG-0737 Supplement 1 Requirements," the applicant letter dated September 23,1992.

7. LD-93-005, " Closure of System 80+ Draft Safety Evaluation Report Issues," Attachment 5,

                       " Chapter 18, DSER Open Item Responses," the applicant letter dated January 18,1993.

8. LD-93-100, " System 80+ Information for Issue Closure," Attachment 2, Sub-Attachment 2,

                       " Justification of ABB Positions Requested for Closure of Task Analysis," the applicant letter dated June 25,1993.                                                                                                      !

9. LD-93-106, "Nuplex 80+ Design Features Review Comment Responses," Attachment 1 Design Features Review Comment Responses," the applicant letter dated June 30,1993.

i

;      10.             ALWR-92-203, " Review of Human Factors for System 80+ and DCRDR Audit," the applicant letter dated April 30,1992.

11. LD-92-065, " System 80+ Supplements to RAI Responses," Attachment 1 (untitled), attached responses to Nos. RAI 620.2,620.27 and 620.28, the applicant letter dated May 8,1992.

12. LD-93-135, " System 80+ Information for issue Closure," Attachment 6, Sub-Attachment 1,

                       " Comments from Draft TER (7/14/93) on Nuplex 80+ HS1 Justification of ABB Positions Requested for Closure of HS1 Issues," the applicant letter dated September 1,1993.

Ayrgd Des @pe AhNwW measse Fooews anyhowhy Aspe 78.70-F

System 80+ Design ControlDocument

13. LD-93-147, " System 80+ Information for Issue Closure," Attachment 1, " Responses to Cross-Branch Chapter 18 Questions (10/4/91)," the applicant letter dated October 18, 1993.

14. LD-93-135, " System 80+ Information for Issue Closure," Attachment 6, Sub-Attachment 4, "ABB Responses to DSER OI 18.8.2 TER," the applicant letter dated September 1,1993.

15. LD-93-071, " System 80+ Submittal #1 Design Descriptions and ITAAC," the applicant letter dated April 30,1993.

16. LD-93-140, " System 80+ Information for Issue Closure;" Attachment 2, " Justifications of ABB Positions Requested for Closure of V&V;" and Attachment 5, "SSAR-DC Markups for V&V and Procedures," the applicant letter dated September 24,1993.

17. LD-94-001, " System 80+ Information for Issue Closure," Attachment 3, " Transmittal of Tracking of Open Issues (TOI) Data to NRC," the applicant letter dated January 7,1994.

O O Approved Desigrr Material. Hurnen factors Engneerkg page 18.10 2}}

ML22112A079

Text

REFERENCES:

= ,+ si a

Navigation menu

Search