Latest revision as of 21:50, 10 December 2024

Text

SPDS Rept for Calvert Cliffs Nuclear Power Plant
	ML20155D571
Person / Time
Site:	Calvert Cliffs
Issue date:	09/30/1988
From:	; BALTIMORE GAS & ELECTRIC CO.
To:	;
Shared Package
ML20155D568	List: ML20155D565; ML20155D571; ML20155H216;
References
	NUDOCS 8810110305
	Download: ML20155D571 (30)
	v • d • e

ENCLOSUR E SAFETY PARAMETER DISPLAY SYSTEM REPORT FOR CALVERT CLIFFS NUCLEAR POWER PLANT I

IIAI.TIMORE GAS AND EI.CCTRIC COMPANY I

l SEPTEMilER 1988 i

l CS10110305 880930 ADOCK 05000317 PDR FDC p

TABLE OF CONTENTS TITLE PAGE I.

Introduction 1

2, General Dasign Criteria 2

3.

Identification of Critical Safety Functions (CFSs) 3 4.

SPDS Displays 4

5.

Parameter Selections 11 6.

Isolation Devices 17 7.

Iluman Factors Program 18 8.

Data Validation 22 9.

Safety Analysis 23 Attachments:

1.

CEN-152 Safety Function Status Check Bases 2.

DAS Block Diagram (one channel) 3.

Remote I/O Equipment liardware Acceptance Test 4,

Operator's Contole/SPDS CRTs 5.

Plant Operating Summary /CSFs Displays

I, Introduction This report provides a ge seral description and safety analysis for the safety parameter display system (SPDS) installed at the Calvert Cliffs Nuclear Power Plant. Installation of an SPDS was required by Supplement I to NUREG-0737, Requirements for Emergency Response Capability, dated December 17, 1982. The function of the SPDS is to provide a concise display of critical plant variables to the control room operators to aid them in rapidly and reliably deterinining the safety status of the plant during abnormal and emergency conditions and in assessing whether abnormal conditions w arrant corrective actions by the operators to avoid a degraded core.

In accordance with Supplement ! :o NUREG 0737 this report identifies the critical safety functions and supporting input parameters that are displayed on the Calvert l

Cliffs SPDS. Information is also provided regarding the criteria that are or will be applied during the design, fabrication and testing phases. We have determined that installation of the SPDS does not invohe an unreviewed safety question or a char'ge to the technical specifications; therefore, a pre-implementation review by the NRC is not required.

Da June 6,

1984, we provided a report for the SPDS. Because of updated information, we find it necessary to revise the previously subnjitted report. This revised report incorporates information contained in our response to NRC's request for additional information and reflects design improvements made to the system during the course of design implementation. Such changes for the most part 9

resulted in additional display parameters and alarms being added to the Critical Safety Functions (CSFs) There were, however; a few deletions from the previous submittal. The steam flow and total feedwater flow were deleted from CSF m3; the graphics display of containment pressule, temperature and radiation sersus time j

were deleted from CSF e4; and the spent fuel pool sent radiation was deleted from 1

CSF

6, Further discussion concerning the basis for t)aramtier selection is included under Section 5.

All changes to the SPDS recei e appropriate internal resiew following established design procedures. Under the General Design Criteria Section, we have removed the discussion concerning the need for the operator to shed load from the emergency diesel generator upon a Safety injection Actuation Signal (SlAS). It was not necessary to shed load or to replace existing batteries i

t because the load requirements of the new computer and Data Acquisition System (DAS) are significantly lower than originally projected. A test report is also 1

provided to document that isolation modules hase been accessfully subjected to j

surge withstand capability testing in accordance with IEEE Standard 472. This report contains the SPDS general description and safety analysis in its entirety with revision bars in the right margin to denote changes to the June 6, 1984 l

report.

I Letter from A. E. Lundvall, Jr. (DG&E) to J. R. Miller (NRC), dated 2

F,=bruary 4,1985, Safety Parameter Display System (SPDS)

.l.

I

3 i

i I

i l

?

1 l

f 2.

hW)pgjg Criteri4 i

q The Calvert Cliffs SPDS is designed as non-Class IE and non-seismic Category 1.*

i The software package for the SPDS is included on the new plant computer. The 3

plant computer is powered from an uninterruptible power supply on each unit a

consisting of a 25 KYA computer inverter, existing plant batteries #12 or #22, and associated battery chargers and 430 volt diesel backed buses. This design ensures that upon loss of offsite power, the SPDS will be available to the operator.

i A verification and validation (VAY) program has been implemented by BGAE. The j

following design review checkpoints are being inserted into the plant computer project schedule to accommodate this effort:

[

l 1

A.

Identification and definition of critical safety functions l

B.

Determination of supporting I/O r

C.

Formatting of displays 4

D.

Development of alarm algorithms l

E.

Definition of man machine interface protocol l

F.

Review of program flowcharts i

1 G.

Review of coding i

i II.

Witness of validation testing i

1 A!! displays are human factored to ensure optimum operator understanding, using

)

NUREG-0700 as the guiding document. Alarms are generated to alert the operator to 1

loss of safety margins or degraded conditions which have the potential for i

i adversely impacting safety margins. Each display page includes a matrix of CSF l

j alarm windows to alert the operator to the status of all CSFs no matter what page j

he is viewing at a given time. A contact output from the plant camputer is an p

4 input to the plant annunciator system. The primary user will be thi shift super-j visor and shift technical advisor. SPDS consoles are provided in the control room and in the technical Support center (TSC).

i 1

i l

Although the SPDS is non-seismic Category 1, installation of equipment in i

j seismic Category I structures, or proximal to any safety related (SR)

[

equipment / systems are seismically mounted in accordance with established criteria to preclude the possibility of interaction with other SR systems.

l i

i l

l l

I I

a i

i l

l t

l I

2-f I

L

a 9

i 1

i e

i j

3.

Identification of Critical Safety Functions (NFs)

J i

lhe following critical safety functions are incorporated into the design of the Calvert Cliffs SPDS and are described in further detail in Section 4:

(1)

Reacthity Control Provides operator with data required to evaluate power level or shutdown margin of the reactor, a

j l

(2)

RCS Pressure and Inventoty: Provides operator with data required to evaluate integrity of RCS and determine adequacy of pressure control function.

1 (3) Core /RCS Ileat Removal: Provides operator with data required to determine if l

core is being adequately cooled.

1 (4) Containment Environment Provides operator with data requi'ed to evaluate condition of conta!nment environment.

This data is needed to assess j

challenges to the containment structure.

J (5) Containment Isolation: Provides operator with data required to determine if I

containment is isolated when required.

]

l (6)

Radiation Control Provides operator with data required to evaluate releases l

of radioactivity.

l (7)

Vits! Auxillaries' Provides operator with data required to evaluate status 1

of vital support systems used to prevent or mitigate the consequences of an l

accident.

l i

l I

I.

l l

5 l

4 l

i t

i l

, i

4.

SPDS Disolavs A.

CSF *1:

Reactivity Control Linear power l

Log power Start-up rate Cold leg temperature Boron concentration Boric Acid Storage Tank (BAST) level l

Charging pump flow liigh Pressure Safety lejection (llPSI) flow Charging source (BAST, Refueling Water Tank (RWT), or Volume Control i

Tank [YCT)) status Control Element Assembly (CEA) mimic Status of letdown isolation valves Red Alarms Two or more rods stuck Power high after trip Anticipated Transient Without Scram (ATWS) condition Two or more dropped rods l

Yellow Alarms Dropped rod l

One stuck rod 1

Reactivity addition l

i

)

.I l

l i

I l

i

B, CSF m2: RCS Pressure & Inventorv Pressurizer pressure I

Pressurizer level Loop subcooled margin I

Steam generator pressure i

Reactor vessel level Core exit temperature i

I Net charging flow IIPSI flow i

Low Pressure Safety injection (LPSI) flow Status of pressuriter relief valves i

Containment radiation status Steam Generator (SG) blowdown tank radiation status 1

Wide range effluent radiation monitor status Status of Safety injection Actuation Signal (SIAS)

Status of Recirculation Actuation Signal (RAS) j i

Component cooling system head tank lesel state i

Status of Reactor Coolant Pumps (RCPs) l Containment sump level i

Quench tank level 1

Quench tank temperature Quench tank pressure VCT les el i

RWT lesel Letdown flow Status of recirculation valves a

Pressurizer pressure s ersus reactor coolant temperature (Teold) plot Red Alarms

]

Subcooled martin high i

Emergency Core Cooling System (ECCS) failure j

j RAS failure i

i Reactor sessel lesel low I

1 d

Reactor Coolant System (RCS) pressure high

{

j 1

1 Yellow Alarms

)

Any pressurizer relief vahe open i

Pressurirer les el abnormal

)

q i

1 1

l I

l C,

CSF m3: Core /RCS Ilest Removal Teold Delts temperature (Thot - Teold)

RCS flow i

SG pressure g

SG level l

Auxiliary Feedwater (AF%) flow i

)

Condensate Storage Tank (CST) level l

Auxiliary Feedwater Actuation Signal (AFAS) status 1

AFAS block status Steam Generator Isolation Signal (SGIS) status I

Pressurizer pressure

]

Loop subcooled margin Reactor vessel lesel Core Exit Thermoccuples (CET)

Core subcooled r..stgin RCP status i

CET map CET tiend

[

J

]

l i

Red Alarms l

Tcold high CET high Loss of primary / secondary heat exchanger AFAS failure I

AFAS block failure SGIS failure j

SG pressure high high l

I i

1 Yellow Alarms l

l I

Excess cooldown rate i

Subcooled margin low l

i Main Steam Line Dreak (MSLil)/AFAS block

{

1 SG level high j

SG pressure high l

i l

i 1

i i

i 1

I l i

,._,m

1 l

D, CSF w4: Containment Environment l

Containment pressure Containment temperature i

Containment water level j

Containment radiation l

Containment spray flow l

Total service water to containnant coolers Containment hydrogen concentration Containment Spray Actuation Signal (CSAS) status l

Safety Injection Actuation Signal (SIAS) status j

j RAS status i

a i

i Red Alarms l

4 Containment ecoling inadequate i

CSAS failure Main Feedwater (MFW) trip failure i

Containment hydrogen high high I

Yellow Alarms Containment radiation high i

Containment temperature high 1

Containment hydrogen high l

I Containment pressure high Containment water level high I

i i

f i

i l

5 1

I

(

l

, I

E.

CSF #5: Containment Isolation j

Containment radiation l

~

Wide range effluent radiation Containment purge Containment purge samplc i

Containment normal sump Containment hydrogen purge Containment isolation Signal (CIS) status RAS status l

S!AS status l

l 1

Red Alstms CIS failure Containment isolation vahe failure Penetration room vent failure RAS and llPSI recirculation to RWT l

Yellow Alarms Redundant isolation valve open i

l I

I i

I

-g-

F.

CSF e6: Radiation Control Wide range effluent radiation Condenser off gas radiation hiain steam effluent radiation i

Gas waste discharge radiation Liquid waste discharge radiation Containment radiation Control room vent radiation status ECCS pump room vent radiation status j

Access control area radiation status SG blowdown tank radiation status SG blowdown ion exchanger radiation status Service water radiation status Letdown radiation status Component cooling radiation status l

1 1

J Jed Ahrms 1

Condenser off gas radiation high high

-j Gas waste discharge radiation high high Liquid waste discharge radiation high high hiain steam effluent radiation high high Wide range effluent radiation high high l

I Yellow Alarms i

hiain steam effluent r:distion high Service water radiation high I

1 iquid waste discharge radiation high I

r Letdown radiation high j

r I

Gas waste radiation high 1

Component cooling radiation high Condenser off gas radiation high

]

1310w town tank radiation high Wide range effluent radiation raonitor high I

j Blowdown ion exchanger discharge radiation high i

l l

\\

l I

l i

1 1,

G.

Cl F # 7:

Vital Autilisries Saltwater system header pressure Service water system header pressure Component cooling water system header pressure Instrument air pressure Indication of voltage (nominal / low) on 4KY bus 11,14, i

)

(Unit 2: 21,24)

Indication of voltage (nominal / low) on 480Y bus ll A.

ilB,14A,148 (Unit 2: 21 A, 21B, 24A, 24B)

Indication of voltage (nominal / low) on 125 VDC bus f1, 12 (Unit 2: 21,22)

Indication of voltage (nominal / low) on vital 120 VAC i

l bus 11,12,13,14 (Unit 2: 21, 22, 23. 24)

I Exciter field breaker status 500 KV breaker status

)

l Red Als'DH i

Loss of two or more 120V vital AC buses Loss of both SR 4KV buses Loss of all service water Loss of all saltwater Yellow Alarms i

l Loss of one 120Y vital AC bus Loss of one or more 125 VDC buses Loss of II A 4t0V bus (Unit 2 2t A)

Loss of IIB 480V bus (Unit 2 218)

Loss of 14A 480V bus (Unit 2 24A)

Loss of 14D 480Y bus (Unit 2 248)

Instrument air pressure low One saltwater header pressure low

,i Component cooling system pressure low One service water header pressure low

)

l 4

j l

I i

)

l l

1 I

j,

~ -._

a r

i i

J 4

)

~

I j

5.

Parameter Selectioq l-SPDS parameters were selected to provide the indleations required to verify that i

the safety functions described in CEN-152, "Cornbustion Engineering Emergency j

Procedure Guidelines' are being fulfilled. The following paragraphs discuss how the parameters relected to support the CCNPP SPDS Critical Safety Functions differ

}

from the CEN-152 Safety Function Status Check Bases. The CEN-152 Safety Function i

i Status Check Bases are provided for ease of referenes as Attachment

1. (Note:

j CEN-152 doet not list indications for Radiation Control or Vital Auxillaries.

j Parameters selected for these displays are explained under discussion of the j

individual displays.)

i A.

Reactivity Control i

All parameter indications recommended by CEN-132 are included. Also I

included are the following:

l 1

j Parameter Enh j

i 4

Cold les temperature and Directly affects reactivity

control, i

Boron concentration I

i l

BAST level, Charging Provides indication of borie acid f

pump flow and IIPSI flow addition.

4 f

Charging source status Provides verification that j

appropriate boric acid source is being used.

1 Status of letdown isolation Provides information concerning the i

Val es operability of the downstream

{

Boronometer and Radiation Monitor, j

l I

B.

RCS Prenure and inwntory Control f

i CEN-152 considers these safety functions separately, liow ever, the CCNPP i

emergency operating procedures deal with them as a combined function. All parameter indications listed in CEN-152 for RCS pressure control and RCS I

)

inventory are provided on the CCNPP SPDS. Also included are the following:

j i

i Parameter.nh Steam generator pressure Needed to differentiate between LOCA j and steam line break accident. I Core exit thermocouples Provides indication of core uncosery. I l l 1 I l i

l Parameter ]Luis l j Net charging flow, ECCS flow. Provides indication of available Containment sump level RWT inventory for RCS make up and level, VCT lesel, RAS serification of engineered safety feature functions designed to miti-l gate LOCA. j Q. tench tank lesel, pressure Provide for dagnosing accidents and temperature. Status of involsing loss of RCS inventory pressurirer Nilef valves (possible leakage paths). and letdown isolation valves. j Component cooling head tank level, Cont Innier.t radiation monitor 50 blowdown tank radiation monitor, Wide range effluent radiation monitor i Status of SIAS Prosides verification that j appropriate automatic actions l ) associated with pressure and inventory control hase occurred. i i Status of RCPs Provides information necessary to i determine appropriate spray flow path. [ 4 l Status of recirculation valses Provides verification that the l Safety injection Pumps are aligned l to the appropriate suction supply. l i Pressurizer pressure s ersus Tcold Proside sisual display of operating r j plot condition to ensure subcooled margin I limits, cooldown/heatup limits, and pump operating limits are followed. ( C. Core and RCS liest Removal i CEN-152 considers these safety functions separately; howeser, the CCNPP emergency operating procedures deal with them as a combined function. With the exception of T, all parameter indications recommendej by CEN-152 for the core heat removal and i g j RCS heat removal functions are inc,uded on the CCNPP SPDS with the following i i additions: 2 i f I ) 1 I l t J . i2 1

1 1 E ) Parameter Ba&[g { T g (not provided) in lieu of T indication listed in 3g { CEN-152, RCS Delta T (T -T ) is it C l provided for both loops (Tgg was included in CEN-152 so that the operator could calculate Delta T. i For operator convenience the CCNPP SPDS displays Delta T directly). 4 AFW flow Provides serification that the AFW system is acting to maintain or restore steam generator level. l RCS flow Provides information for evaluating l l RCS heat transfer. l 1 ] SG pressure Provides indication of excessise steam demand. a I j Pressurizer pressure, Provides indication of subcooling j and CET when RCS forced or natural circula-i tion is not present. ( i I } Reactor vessel level Provides indleation that reactor j venei contains sufficient coolant ( j to provide adequate i. cal transfer, f ) i CST level Provides verification that adequate i water ingentory is available for RCS i heat removal via the SGs. I t AFAS status, AFAS block Provides serification that appropri-status, and SGIS status ate automatic actions have occurred. l l l Core subcooled margin, CET Provides verification that appropri-l map and CF trend ate RCS heat removal esists. 1 i RCP status Provides information to determine l which heat removal method is being j i used. j i D. Containment Environment l i \\ \\ i CEN-152 addresses the containment temperature and pressure control function separately from the containment combustible gas control function, llow es er, 1 the CCNPP emergency operating procedures deal with them as a single ecmbined ) j function. All indications listed in CEN-l$2 for the subject safety j functions are provided on the CCNPP SPDS with the fo!!owing additions: 1 { .7 l i 1 ) t i 13 - 1 i

i J Parameter B2111 Containment spray flow. Provides indication that containment Total service water to depressurization systems are containment coolers operating, i Containment water level Provides indication of water inven. tory available for containment spray i 1 system. i Containment radiat;on Provides indication of radiation levels inside containment as a rela-tive indication of core degradation. l ] ] Status of CSAS, SIAS and Provides verification that RAS appropriate automatic actians hase

occurred, l

f E. Containment Isolstion i j Only one of the three indications recommended by CEN 152 (i c., Containment radiation) is included. The basis for both the deletions and additions to the SPDS are as follows: j Parameter li2111 I l Containment pressure (not included with CSF e4, Containment provided) Environment l l Secondary system radiation included with CSF a6. Radiation d (not provided) Control l i I i Wide range effluent radiation Facilitates monitoring of any leakage via the containment penetrations (this leakage would be collected by the penetration room l s entilation system w hich discharges j ] into the plant s ent). j i Status of remotely operated Provides indication of pathways purge valses senting directly to environment. l i t Status of CIS, RAS and SlAS Provides s erification that l appropriate automatic actions hase q occurred. I l i l i l 14 - 4

l l s i F. Radiation Control j The following parameters were selected to provide radiation indication, k Parsmeter B21h Wide range effluent rr.diation Encompass all monitorable release i Condenser off gas radiation paths to the environment. Main steam effluent radiation I 1.iquid waste discharge radiation l Oaseous waste discharge radiation L ) Containment radiation Provides information for diagnosing l the source of unusual effluent i levels in the esent of a major

release, 1

i I Status of Control room vent Provides verification that appropri-j radiation, 50 blowdown tank ate automatic actions have occurred. l radiation, 50 blowdown ion l eschanger radiation l l Status of ECCS pump room sent Provides information concerning l i radiation and Access control plant accessibility. ] area radiation l l Service water radiation status Provides an indication of spent fuel pool leakage to the service water

system, Letdown radiation status Provides for an on line monitor of fuel failure, 3

Component cooling radiation Provides an indication of shutdown I j status cooling heat eschangte leakage to l ] the component cooling system. [ l I i i G. Vital Autiliaries j i The followin g parameters were selected to provide indication of the j condition of sital support s) stems w hich must operate to maintain safety i functions, i l j Parameter Elih I Ileader pressure for salt Provides the best assilable indies. water, service water and tion that these systems are operat-component cooling s) stems ing as required, t i. .,s. I i

l i Parameter En[1 Voltap.e indication lights These provide indication that on vital 4KY, 480V, engineered safety features instru-125VDC,and l20 VAC mentation and equipment have the j electrical busses electrical power required for i operation, j l Instrument air pressure Instrument air pressure is not i necessary for maintenance of plant safety features but a knowledge of i j ltitufficiant air pressure could significantly change the strategy of dealing with a particular accident. Exciter field breaker status Provides indication that the breaker 1 has automatically opened following a l

trip, 500 KV breaker status Provides information concerning the avellability of offsite power, 1

l I 4 l { i i I I k I I i 1 f I i 1 i i I k l I I 1 .i . _ _. _ _... _ _ _ _ _. _ _ _ _.. _,,. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _, _,.,, _ _.. _,. _.. _ _., _ _ _ _ ~ _. _ _.. _ _.. _ _. _ _ _ _., __. __._ _ -

6. Isolation Devlees A. The Data Acquisition System (DAS) provides electrical isolation between the non safety related SPDS and the plant's safety-related instrumentation systems. The DAS is designed such that a fault associated with any input or I output will not affect any other input or output. A block diagram of one channel of the DAS is provided as Attachment 2. The devices within the dotted box comprise the remote I/O cabinets. The inputs are instrument i loops and the output is a high speed serial link via fiber optic cable. The inputs are isolated with various modules selected for the specific signal type. A copy of the test procedure for these isolation modules was previuusly provided. The report documenting test results on isolation modules contained in one I/O cabinet is provided as Attachment 3 (Remote I/O Equipment liardware Acceptance Test Procedure for NUS Corp./Daltimore Gas and Electric

Company, Calsert Cliffs Data Acquisition

System, dated February 20, 1984). hiodules in other cabinets have undergone similar testing and their test reports are available, if requested. Abnormalities or non-conformanc'.s encountered during testing are documented and disposition (d per Section 3 of the test report.

D. hiaximum design withstand soltage is 600Y sustained and 1250Y surge per IEEE Standard 472. Calvert Cliffs electrical circuit and raceway design criteria insures separation between circuits such that input cables are not touted j with cables for circuits above 500Y rating. C. Output is sia fiber-optic link. D. A representative sample of isolation modules was tested to ensure no change of output data and no change in functionality due to the surge test. The results are acceptable. The test procedure 2nd acceptance criteria are described in Attachment 3. l l E. The isolation desices comply with Calvert Cliffs seismic and ensironmental ] Qualification program requirements. [ a t 1 F. The design standards applied to tha DAS isolation devices will ensure ] adequate electrical separation betw een the SPDS and safety-related systems i commensurate with original plant electrical design criteria. l I 1 i l l 1 I 1 j l

l l 7. llyman Factors Pronram i The CCNPP SPDS will assist control room personnel in evaluating the safety status of the plant during normal and abnormal operating conditions, iluman factors engineering has been incorporated into its design using NUREG 0700 and NUREG-0835 as guideline documents. The SPDS is a software based system integrated into the new plant computer which includes one 19-inch and one 25-inch plant computer monitor per unit mounted on the control boards, one 11-inch SPDS monitor per unit and one 13-inch plant computer munifor capable of displaying either unit all mounted on the senior operator's desk (see Attachment 4), one 13 inch plant computer monitor per unit mounted on the operator's desk, one plant computer moi.ber capable of displaying t either unit mounted on the shift supervisor's console, and one 13 inch SPDS monitor per unit located in the Technical Support Center. The SPDS will preside sescral displays organized under the following CSF headings: 1. Reactisity i 2. RCS Pressure and Inventory j 3. Core /RCSilest Removal 4. Containment Environment { 5. Containment isolation i 6. Radioactivity Control 7. Vital Auxiliaries Under each CSF heading, parameters are displayed which support the CSF in a maraer i consistent with the new function-oriented emergency operating procedures cu r',ntly i i in place. These displays make estensise use of color and coding tect.eiques. j Displays are selected by the operator through keyboard ac.3an, the CRT cursor, or the touch screen poke points. I Dimlav Formata i Parameter data presented to the operator is grouped under CSF headings in a l readily usable format. The following displays are available: Plant Operating Summary (2 pages) i Alarm / indication l Point Status l 1 Reactistry (3 pages) 1 Control Element Assembl> (CEA) Matris Display ) .klarm/ indication } 9 int Status ) i i l i RCS Pressure and inventory (4 pages) l I RCS P&lD 1 RCS Press Temp Plot l Alarm / indication Point Status i Core /RCS liest Removal (7 pages) Alarm / indication I Point Status CET hiap CET Trend Containment Environment (2 pages) l Alarm / indication i Point Status j i Containment isolation (2 pages) r Alarm / indication Point Status l Radioactivity Control (2 p,tges) Alarm / indication i Point Status l [ Vital Availlaries (3 pages) l t Alarm / indication Point Status l Electric Bus htimic A CSF window matris is located at the top of each display page with the highest priority CSF toward the left.. These CSF boses change color depending on alarm status. Vertical bar graphs are typically located below the CSF matris foi parameter display. The lower portion of the screen is used to display system status information. The display information directly supports its assxisted CSF. Information is repeated if necessary to minimlre requirements for operator memcry. [ prosides the Plant Operating Summary and all the Critical Safety [ Functions Alarm / Indication display formats. l 19 i t I

l l l a Disolav Formst liierarchv Page one of each CSF is accessed by keyboard action using fixed function keys, the CRT cursor or by preselected CRT poke points on the two touch screen displays, 1 Once in a CSF, the user can page down or up, within a CSF, using the 'PAGE FWD' or l j 'PAGE BWD' keys or CRT poke points. An alarm / indication box located at the bottom right hand corner is used to access e lower list of alarm descriptors for use in that CSF. The intent of this poke point is to allow quick access to the alarm descriptors while avoiding screen clutter of the first page listing. I Color and Codine Techniouca The following color cod.ng scheme is employed on the CCNPP SPDS-l l GItta i a) For CSF histrix: No decrease in CSF margin; no failure of a safety system

detected, i

b) For Indisidual Pararreters: Parameter within its normal range, i ellow a) For CSF Matris: CSF margin decreased. b) For Individual Parameters: Normal range limits e iceeded. l a) For CSF Matris: Failure of a safety system; the CSF margin it substantially i decreased. I b) For Indisidual Parameters: Normal range limits substantially esceeded. i I White l l Bus energized (Electrical ilusses Diagram), l 1 l Mseents For CSF only: One or more logic gates in an alarm algorithm for that CSF sre insalid due to missing data or failed sensor, l l 4 I i s. CXan Background information. i Color intensity (normal vs. Iow) is used to separate dynamic from static information, Border lines, format lines to separate parameter bars, and titles for parameters are displayed in low intansity cyan. The vertical bar graphs, digital values and system status are displayed in low inteasity green and normal intensity yellow and red. Low intensity green, an exception for using normal intensity for dynamic information, provides greater contrast between the yellow and red. Bar graphs, digital values and system status information change color depending on parameter status. In order to attract the viewer's attention, the CSFs at the top of the display format are in color and inverse video. If one of tne alarm algorithms supporting a particular CSF has missing or invalid data, a small magenta square appears in the far right hand corner of the CSF box. This is visible to the viewer and is also noticeable on black and white hard copy. Sensor validity also makes use of i the inverse video technique. r Location and Readability 1 The principal users of the SPDS will be the Shift Supervisor and the Shift l Technical Advisor (STA). The monitors are located such that they are readily accessible to both principal users. The SPDS displays are not complex in format and occupy less than 30% of the total screen. Alphanumeric characters are displayed using a 7x7 dot matrix. i l Audible Alarm The CCNPP SPDS will alarm the plant annuticiator system when sensing a "RED" or "YELLOW

CSF alarm condition. This alarm, as with all control board alarms, will be acknowledged and reset at the control board. The Shift Technical Advisor will be able to cut out the CSF alarm by SPDS keyboard action, thereby allowing i

additional CSF alarms to annunciate the control board. If the cut-out pushbutton is not depressed, the control board annunciator window will remain in alarm until the SPDS no longer senses the alarm condition. The purpose of this audible control board alarm is to bring a degraded CSF condition to the attention of the STA. l i i 21

l l 8. Data Validation Validation techniques used for the SPDS alarm algorithms and parameter indications are dependent upon the number of sensor inputs available and the type of alarm or indication algorithm employed. Alarm algorithm validation is indicated by coding techniques used on the CSF matrix windows and by inverse video of the invalid line item on the ALARhi/ INDICATION page, invalid parameter indication is indicated by inverse video of the digital readouts below the vertical bar graph displays and by inverse video of the insalid line item on the ALARhi/ INDICATION page. Alarm Validation A arm algorithms make extensive use of sensor channel redundancy for validation. Alsrm algorithms which have four redundant sensor inputs use a two-of-four logic te generate an alarm condition, if one or two signals from any of the four channels is invalid or missing, t'te logic changes to two-of-three or two-of-two, respectively, and a small magenta color box appears next to the associated CSF. If greater than two sensors are invalid or missing, tl SF window will change to a magenta color and the alarm descriptor on the ALA NDICATION page will be displayed in inverse video indicating an invalid alarm agorithm. Alarm algorithms which have two redundant sensor inputs use a two-of-two logic for generating an alarm condition. If one signal is invalid or missing, the logic i changes to one-of-one and a small magenta square will appear next to the associated CSF. If both sensors are invalid or missing the CSF will change to a magenta color and the alarm descriptor on the ALARht/ INDICATION page will be displayed in inverse video indicating an invalid alarm algorithm. Alarm algorithms without redundant sensor inputs will alarm when the sensor exceeds its setpoint. If the signal is invalid or missing, the CSF will change to a magenta color and the alarm descriptor on the ALARht/ INDICATION page will be displayed in inverse video indicating an invalid alarm algorithm. Magieter Indication Parameter indications which have two or more redundant channels will average the two channels in closest agreement for display information. An instrument loop uncertainty is used to evaluate the validity of the indication. This loop uncertainty is based upon worst case accuracy of components within the loop. If the two closest channels deviate from each other by more than the calculated loop l uncertainty, the indication will be flagged invalid. Indications which have only one sensor input are not validated. Invalid parameter information is indicated by inverse video of the digital readouts below the vertical bar graph displays and by inserse video of the invalid line item on the ALARht/ INDICATION page. 1 1 l 9. Safety Analysis The SPDS will provide human-factored displays for critical safety functions to aid the control room personnel in rapidly and reliably determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective actions by the operators to avoid a degraded core. The SPDS is designed to be available during all design basis events at the plant except for a seismic event. It is not single failure proof. .ne human factors review is performed in conjunction with other design validation tasks. The resolution of human engineering discrepancies (llEDs) and any exceptions taken to NRC or industry guidelines are documented. The display I formats satisfy the applicable functional guidelines specified in NUREGs 0696, 0700, and 0835. The probability of occurrence or the consequences of an accident or malfunction of equipment important to safety previously evaluated in the FSAR is not increased. The SPDS is isolated from safety-rclated signals. It receives data via a link from the plant data acquisition system (DAS). The DAS is a two channel isolation and multiplexing system which will provide data base updates to the plant computer. The possibility for an accident or malfunction of a different type than any evaluated previously in the FSAR is not created. The use of data redundancy to the extent practicable, human-factored displays, and a verification and validation program, will minimize the potential for misleading the operator. Since the redundancy and reliability of control room indications often exceeds that possible within the SPDS, the new functionally oriented emergency operating procedures (EOPs) contain instructions for plant operators to verify SPDS indications using control board indications prior to taking any corrective actions. The OSSRC reviewed the SPDS safety analysis on September 21 and December 20, 1984, and has concluded that the SPDS will not pose an undue risk to the public health and safety, i l 4 )! :

~ ATTACHMENT 1 l' STEETY FUllCTI0tl STATUS CllECK BASES REACTOR TRIP Figure 4-9a The safety functions l'isted below and their respective criteria are those used to confirm the adequacy of the RT Guideline in raitigating the event. SAFETY ACCEPTAtlCE FUllCTI0tl CRITERIA IllDICATI0tt RAtlGE BASES Reactivity Reactor Power Decreasing Power Range [0-125%) For all emergency events, the Control and reactor must be shutdown. The [tlegativeStartupRate] Power Rate [-I + 7 dpm) criteria that no more than one CEA and be stuck out or the RCS be borated tiot more than 1 CEA Bottora CFA Status On/0ff Light observes typical Technical Specifi-Light flot Lit or Borated Display for each CEA cation requirements. p per Tech Specs I Maintenance of Vital Auxiliaries [ < ------ -------------------------- ----- P l a n t S p e c i f i c --------- --~----- ------------------- > ] (AC A DC Power) RCS Inventory [35"] 1 Pressurizer Level Pressurizer [0"-350"] A value of [245"] ([70%] of range) . < [245"] Level was chosen as an upper limit for Control and pressurizer level to account for Charging and Letdown are instrument inaccuracies and other being operated manually or uncertainties. A value of [35"] automatically to maintain ([10%) of range) was chosen as a or restore pressurizer level lower limit to account for instru-o ment inaccuracy. and L RCS > [20*F] Subcooled A [20*F] subcooling margin coexist-r'0 and ing with a pressurizer level in the [No reactor vessel voiding [RVLMS] [0-100%] range [35" to 245"] indicates E 3 as indicated by the RVLMS] adequate RCS inventory control via ? a saturated bubble in the pressur-g izer.

6 L

i -

N SAFETY FUNCTION STATI15 CilECK BASES REACTOR TRIP Figure 4-9b The safety functions listed below and their respective criteria are those used to co[ifirm the adequacy of the RT Guideline in mitigating the event. SAFETY ACCEPTAftCE FUtlCTI0tl CRITERIA IllDICATI0ft RAtlGE BASES RCS Inventory Control (Cont'd) An uncomplicated reactor trip should not result in reactor vessel voiding. RCS Pressure [1700 psia] < Pressurizer Pressurizer [1500-2500 [1700 psta] corresponds to the SIAS p^ Control Pressure < [2350 psia] Pressure psia]/. alarm setpoint. [2350 psia] is the y and [0-1600 psia] high pressure alann setpoint. Best Pressurizer heaters and estimate analysis shows that the spray are being operated selected events will fall within the manually or automatically above range. to maintain or restore pressurizer pressure to within the limits of the P/T curves Figure 4-1. Core IIcat Removal T -TC < [10*F] T [520"-610*F] Best estimate analysis demonstrates g g and that S/G AT will be less than [10*F] DCS > [20*FJ subcooled T [0*-600*F] in the steaming loop with RCPs ~ C running and at least one S/G steam-n [Subcooled [0*-100*F] ing. [20*F] subcooled margin is E Margin based on engineering judgement to .L Honitor] assure adequate core cooling account-I" ing for temperature variations in the E - RCS. Best Estimate analysis shows that the noted events will fall in 3 the selected ranges.

P po

~4 SAFETY FUNCTION STATUS CllECK BASES REACTOR TRIP Figure 4-9c The safety functions listed below and their respective criteria are those used to co'nfirm the adequacy of the RT Guideline in mitigating the event. SAFETY ACCEPTANCE FUNCTION CRITERIA INDICATION RANGE BASES RCS I! cat Removal a) At Icast one S/G has Steam [+63.5" - Decay heat levels may not be high level: Generator (-)l16.5"] enough to require a feedwater flow i) within the normal Level of [150 gpm]., If this is the case, Icvel band with once steam generator level is feedwater available returned to the zero power level to maintain the i* Icvel band and feedwater remains available to maintain that level, then RCS g; or heat removal is being satisfied. ii) being restored by a j feedwater flow > [545'F] is based on control program [150gpm] for atmospheric dump valves and j 1 and turbine bypass valves, and best h) RCS T is < [545'F] estinate analysis. ave ~ Containment Containment Pressure Containment f0-60psig] [1.5 psig] is based on the contain-Isolation ~ < [1.5 psig] Pressure [0-15psig] ment pressure alarm. It is not expected, for the selected events, that containment pressure will and increase to the alarm setpoint. g; No Containment Area Containment Alarming - During an uncomplicated reactor trip i: Radiation Monitors Alarming Area Radia-Not Alarmins there should be no radiation in con-tion Moni-tainment. The indicators should not ro and tors be alarming. o i a No Steam Plant Activity Steam Plant Alarming - Steam plant activity is an indica-tbnitors Alarming Radiation ilot Alarming tion of an SGTR and is not antici-g; Monitors pated for a RT.

l ils .g! w H SAFETv FUNCTION STATils C11CCK llASES 1 REACTGR TRIP ) Figure 4-9d The safety functions listed below and their 5,)cctive criteria are those used to confiru the adequacy of the RT Guideline in mitigating the event. ) SAFETY ACCEPTAttCE FUtiCTI0tl CRITERIA IllDICATION RANGE BASES Containment Containment Pressure Containment [0-60psig] [1.5 psig] is based on the contain-Temperature and <[1.5psig] Pressure [0-15 psig] ment pressure alann. It is not Pressure Control expected, for'.the selected events, that containment pressure will i and increase to the alarm setpoint. J j p Containment Temperature Containment [50*-300*F] Maximum normal expected average j <[120*F] Temperature containment air temperature. m I Containment 112 < [2%] [<-------=-

-----Plant Specific-------- --------------->]

Conbustible Gas Control i 4 1 e i l m w 0

/YTYM'OML~N7* g. wr susr CDM NTEL _C e MP WDr i i ... i i i t I . ~ l o tu o r. e oturn C' M -- MTA p con C ENTE.ATOR / nurA --~ ~ ~ - ~ p caermitR. r Jrse J_ Des @ NIGH

3 fC c 0

$ Y ST EM ggzug frwrtl - a LINK - ---~~~ ~-*~~7 I'-~ ww.ucto A&Ar.W e s I i = l .M LS l t l (~ l I gre i Suasysn;e1 J T i i a 1 l 4 e I 2:7 i S G, s t.s.rst ( . 3 I I I ' 12thrrt $1T2' Equipp2pt* l L...................> e (ry iut (pux;i) DATA Acoutomon Sy.$7gn p 't i e

}}

ML20155D571: Difference between revisions

Latest revision as of 21:50, 10 December 2024

Text

Navigation menu

ML20155D571: Difference between revisions

Latest revision as of 21:50, 10 December 2024

Text

Navigation menu

Search