ML17300B303
| ML17300B303 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 07/08/1999 |
| From: | NRC (Affiliation Not Assigned) |
| To: | |
| Shared Package | |
| ML17300B302 | List: |
| References | |
| GL-98-01, GL-98-1, NUDOCS 9907150055 | |
| Download: ML17300B303 (20) | |
Text
U.S. NUCL'EAR REGULATORYCOMMISSION OFFICE OF NUCLEAR REACTOR REGULATION AUDITREPORT'ON IMPLEMENTATIONOF GENERIC L'ETIER 98-01, "YEAR2000 READINESS OF COMPUTER SYSTEMS AT NUCLEAR POWER PLANTS" Docket Nos:
License Nos:
Licensee:
Facility:
Location:
Dates:
Audit Team Members:
Approved by:
STN 50-528, STN 50-529, and STN 50-530 NPF-41, NPF-51, and NPF-74 Arizona Public Service Company Palo Verde Nuclear Generating Station, Units 1, 2, and 3 Phoenix, AZ May 18-20, 1999 Mario Gareri, NRR Alvin Bryant, NRR Jerry Mauck, NRR Jose A. Calvo, Chief Electrical & Instrumentation and Controls Branch Division of Engineering Office of Nuclear Reactor Regulation
'EXECUTIVE.
SUMMARY
On May 18-20,,1999,'.the staff of the.U. S. Nuclear Regulatory Commission (NRC) conducted an audit of the Year:2000 (Y2K) Readiness Contingency Planning Program at the Arizona
'ublic Service Company's (APS's) Palo Verde Nuclear Generating Station (Palo Verde), Units 1, 2, and 3. The audit addressed the contingency planning activities for six classes of plant systems, internal facilityrisks, external risks, and activities that integrated these contingency plans into a single overall plan. The basis for this audit was provided in two nuclear industry guidelines, Nuclear Energy Institute/Nuclear Utilities Software Management Group (NEI/NUSfUIG) 97-07, "Nuclear UtilityYear,2000 Readiness," and NEI/NUSMG 98-07, "Nuclear UtilityYear 2000 Readiness Contingency Planning." The audit guidelines were provided in a checklist format, "Y2KReview Checklist for Contingency Planning," which was based on the two NEI/NUSMG reports.
Additionally, the audit addressed emergency generator availability and equipment issues.
The audit team reviewed selected licensee documentation regarding the Palo Verde. Y2K readiness program and conducted interviews with the cognizant licensee personnel.
The results of this audit and subsequent audits at other selected plants willbe used by the staff to determine the need for additional action, if any, on Y2K readiness for nuclear power plants.
The audit team noted some instances of omitted information and editorial inconsistencies between individual system contingency plans and the integrated contingency plan. The reviewers noted that these inconsistencies would have been identified by the Quality Assurance (QA) Organization had it been more involved during earlier stages of the development of the Y2Kcontingency plans.
However, these inconsistencies were discussed with the Y2K project 9907150055 O'20708 POR ADOCK 05000528'OR ENCLOSURE
0 team and resolved before the end of the audit. Palo Verde management had also not officially signed the individual and integrated. contingency plans at the'time of the audit. The licensee plans to have a complete QA review and final plans approved and signed by management before June 30, 1999.
On the basis of its assessment and evaluation of the Palo Verde Y2K Readiness Contingency Planning Program, the audit team concluded that, the Y2K Readiness Contingency Planning Program and associated detailed procedures for implementing the program at Palo Verde are adequate.
The licensee has a common Y2K project implementation plan which establishes the scope and control of the Y2Kcontingency planning at the Palo Verde nuclear plants. The Y2K contingency planning is comprehensive and incorporates the major elements of the nuclear power industry Y2Kguidance contained in NEI/NUSMG 97-07 and NEI/NUSMG 98-07. The audit team found that the Y2K program is receiving appropriate management support and oversight. The project is well organized and adequately staffed.
The successful completion of activities to achieve Y2K readiness by July 1, 1999, appears to be on track.
1.0 INTRODUCTION
.On May 18-20, 1999, the staff of.the NRC conducted an audit of the Y2K Readiness Contingency Planning Program at the APS Palo Verde site. The purpose of the audit was to (1) assess the effectiveness of contingency planning management, development, and integration, and (2) evaluate remediation risk, internal facility risk, and external risk to ensure that the licensee's schedule is in accordance with NRC Generic Letter (GL) 98-01, "Year 2000 Readiness of Computer Systems at Nuclear, Power Plants," guidelines for achieving Y2K readiness by July 1, 1999.
The audit team reviewed the Palo Verde Y2K Readiness Contingency Plan and associated project documentation and interacted with the Palo Verde Y2Kcontingency planning team. The documents reviewed by the audit team are listed in Attachment 1. The. audit specifically addressed the contingency planning activities for six.classes of plant systems, internal facility risks, external risks, and activities that integrated these contingency plans into a single overall plan. The basis for this audit was provided in two nuclear industry guidelines, NEI/NUSMG 97-07, "Nuclear UtilityYear 2000 Readiness," and NEI/NUSMG 98-07, "Nuclear UtilityYear 2000 Readiness Contingency Planning." The audit guidelines were provided in a checklist format, "Y2KReview Checklist for Contingency Planning," which was based on the two NEI/NUSMG reports.
Additionally, the audit addressed emergency diesel, generator availability and equipment issues.
The audit process began with an entrance meeting:attended by the Palo Verde Y2K project manager, site management, other plant personnel, the NRC senior resident inspector, and members of the NRC audit team. At the end of the entrance meeting, the Y2K project manager described the project organization, the project plan, the implementation of the project, and the project's current status. lists the entrance meeting attendees.
The project appears to be well organized and adequately staffed. The project organization includes a:contingency planning lead as the. single point of contact. for the contingency planning process.
On the basis of the audit team's interaction with the project staff,'the audit team.
4i considers the Y2K project staff to.be very competent and knowledgeable in the activities they perform. The licensee has shown a considerable amount of ownership of Y2Kcontingency planning by participating in peer reviews with other. nuclear power utilities and industry groups.
The audit activity concluded with an exit meeting in which the audit team summarized-the results of the audit. Attachment 3 lists the exit meeting attendees.
2.0 DESCRIPTION
OF THE PALO VERDE Y2K CONTINGENCY PLAN The 'Year 2000 Readiness Contingency'Planning Guide" uses a framework similar to that described in NEI/NUSMG 98-07. The guide provided guidance for developing the Palo Verde Integrated Y2K Contingency Plan,,as well.as establishing the scope and method, of development of individual contingency plans.
These guidelines are consistent with the guidance in NEI/NUSMG 97-07 and NEI/NUSMG 98-07. The integrated contingency plan was developed from individual contingency plans in the areas of remediation risk, internal facility risk, and external risks to provide a comprehensive action plan to mitigate Y2K-induced events that could occur on key rollover dates.
3.0 CONTINGENCY AUDITS The audit team reviewed in detail 28 individual system contingency plans (22 for specific plant systems and 6 related to external risks), the integrated plan, and documents related to the development and implementation of overall. contingency management.
The audit team also reviewed internal facility risk contingency plans and external risk contingency plans. The, team met arid interacted with Palo Verde Y2Kstaff throughout the review process.
3.1 PlantS stems Contin enc Audits The staff identified and reviewed contingency plans addressing specific software applications and embedded components (SAECs) in six classes of plant systems: reactor protection system (RPS) and engineered safety features (ESFs), feedwater systems (FWS) and balance of plant (BOP) systems, radiation monitoring systems (RMS), emergency notification systems (ENS),
the plant process computer (PPC), and plant security systems (PSS).
The specific packages reviewed are listed below:
RPS/ESF SAEC Contingency Plans The staff reviewed two contingency plan packages in this class of,plant systems: Core Protection Calculator Computer (CPC) [PV-INT-007]and the Control Element Assembly Calculator (CEAC) [PV-INT-027].
FWS/BOP SAEC Contingency Plans The staff identified and reviewed five contingency plan packages in this class of plant systems: Digital Feedwater Control System (DFWCS) [PV-INT-001], Modicon ASCII Module in the Diverse AuxiliaryFeedwater Actuation System (DAFAS) [PV-INT-002],
Station Blackout (SBO) Gas'Turbine Generator (GTG) Components [PV-INT-003], Plant
Cl
Multiplexer (PMUX) [PV-INT-006], and Water Reclamation Facility,(WRF) ICS and Dual UCMs. [PV-INT-016].
RMS SAEC Contingency Plans The staff reviewed four contingency plan packages in this class of:plant systems: Gaseous Radioactive Effluent Tracking System (GRETS) [PV-INT-013], TLD [Thermoluminescence dosimeter] Recording and Evaluation Computer System (TRECS) [PV-INT-015], Personnel Contamination Monitors (PCMs) [PV-INT-020]; and RMS Mini-Computer [PV-REM-003].
ENS SAEC Contingency Plans The staff identified and reviewed five contingency plan packages in this class of plant systems: Emergency Response Facility Data Acquisition and Display System (ERFDADS)
[PV-INT-008], EPBX Switchboards [PV-INT-29], Microwave Digital Radio (MDR-4000, MDR-6000) [PV-INT-28a], Meteorological Data Transmission System (MDTS) [PV-REM-002], and Plant Two-Way Radio System (QAG) [PV-INT-028].
PPC SAEC Contingency Plans The staff identified and reviewed five contingency plan packages in this class of plant systems: Plant Monitoring System (PMS) [PV-INT-005], Stator Leak Monitoring System (SLMS) [PV-INT-004], Chemical Laboratory Analysis Storage Systems (CLASS) [PV-INT-12], Vibration Monitoring System (RCPOVMS) [PV-INT-011], and Vibration and Loose Parts Monitoring System (LPEAC) [PV-INT-010].
PSS SAEC Contingency Plans The staff reviewed the contingency plan package. for. the PSS [PV-INT-009].
3.2 Additional Items In addition to the contingency planning areas addressed by the Y2Kcontingency planning checklist, the staff reviewed the items discussed in the following sections.
3.2.1 Assumed Duration of Loss of Offsite Power The licensee's planning assumptions include the possibility of localized, power outages of nondetermined durations.
In the event of a complete loss of offsite power, the Palo Verde.
emergency diesel generators willprovide power for 7 days while at full load.
Additionally, the licensee willbe watching time zones to the east and willhave a representative in Korea (who willobserve the performance of a similar Combustion Engineering (CE) reactor during the Y2Ktransition for that earlier time zone) to anticipate potential problems during the Y2Ktransition. A Y2KControl Room Communicator willcommunicate between the Y2K Central Communicator and the Unit 1 control room (Operations).
The Y2KControl Room Communicator will keep the Y2K Central Coordinator, by way of the Y2KCentral Communicator, informed
if'
-'5-about plant and electrical grid status and the need for assistance.
Me willalso keep the Operations staff informed of outside information from the Y2KCoordinator.
The Y2K Central Communicator remains in the Emergency Offsite Facility (EOF) in contact with CE and the Combustion Engineering Owners Group (CEOG) representatives in Korea, the NRC, and the other nuclear power generation facilities. The Unit 1 Shift Manager, or the Site Manager, will remain the primary source of communication to Units 2 and 3.
3.2.2 Runnin Time and Availabili Without Offsite Power of the Switch ard Batte and Circuit Breaker Auxiliaries i.e. Com ressor Gas Su I
The switchyard battery is capable of operating for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and a sufficient compressed gas supply willbe available to operate the circuit breakers for approximately 2 days.
3.2.3 Staffin Durin Rollover Staffing details are provided in the Y2Kcontingency plan, which includes staffing for "workarounds." Additional Y2K personnel willbe on site to support operation of the Y2K Central EOF. A summary of planned additional on-shift operations personnel includes one senior reactor operator, three reactor operators, and seven auxiliary operators.
Additional security officers willalso be allocated during the Y2K rollover in the event of any loss of security system functions.
3.2.4 Y2K Procedures Existing plant procedures have been identified as adequate for mitigating any Y2K internal-induced event. This determination is based on the premise, that existing emergency operating procedures are based on a mitigation,strategy that is procedurally independent of the initiating event. Therefore, plant procedures contain sufficient guidance to ensure mitigation of any reasonable Y2K-related event.
Furthermore, the Palo Verde.Integrated Y2K.Contingency Plan provides specific Y2Kmitigation strategies that supplement existing plant procedures.
3.2.5 Internal and External Communications Contin encies
\\
Palo Verde has multiple fullyredundant communication capabilities, including internal and external telephone systems, radio systems, cell phones, and soon-to-be-added satellite phones.
Direct access'is available for emergency communications with the. police department and emergencyservices.
Useof the 911 emergencyphonenumber.
isabackup method.
In addition, Palo Verde has its own medical facilityand fire engine located onsite.
The licensee willset up a "reverse" call-out in the event that the notification system is unavailable.
The shifts have been identified and willshow up for work without being called (negative callback). The reverse call-out requires all affected team members to report to the Palo Verde site at 2 a.m. on January 1, 2000, unless notified not to report.
!Q>
II
-'6-3.2.6 Use of AR Rela s in the,Emer enc Power S stem The emergency diesel generators at Palo Verde do not use AR relays.
The licensee is familiar with the relay issue at Seabrook and has determined that a similar problem does not exist at Palo Verde.
3.2.7 Partici ation'in the North American Electric Reliabilit Council NERC Drillon Se tember9 1999 The licensee willparticipate in the NERC drill:
3.2.8 NRC Communications Contin enc Plan, for Year 2000 Rollover The licensee, is familiar with the NRC Communications Contingency Plan.
3.2.9 Securit S stems The security systems are included in the licensee's contingency plans.
3.2.10 Remediated S stems Classification Some remediated systems are not mission-critical systems.
Those systems that are. mission critical and have been remediated are addressed in contingency plans.
3.2.11 T~rainin The training plans have been identified and the training schedules are included in the contingency plans.
4.0 AUDITTEAM OBSERVATIONS On the basis of the audit team's review of Palo Verde's Y2K Readiness Contingency Planning Program, the audit team makes the following observations:
1.
In the area of contingency planning management, the staff determined that licensee Y2K activities were consistent with NEI/NUSMG 98-07.
2.
In the. areas of contingency, planning. for internal facility risks, event analyses for internal facility risks,.and risk management for internal facility risks, the staff determined that the licensee's Y2K activities were consistent with NEI/NUSMG 98-07.
However, the staff determined that the verification of internal facility risks was not yet completed.
This issue was discussed with the licensee and the verification is expected to be completed by June 30, 1999.
3.
In the areas of risk identification for external risks, event analysis for external risks, risk notification, mitigation strategy selection, and verification for external risks, the staff determined that the licensee's Y2K activities were consistent with NEI/NUSMG 98-07.
i 4.
In the areas of development of integrated Y2K contingency plan and integrated Y2K contingency plan content, the staff determined that the licensee's Y2Kactivities were consistent with NEI/NUSMG 98-07.
However, the staff noted some minor inconsistencies between the integrated contingency plan and the individual contingency plans.
These inconsistencies indicate that contingency plan verification activities should receive additional attention in the near term, and more attention in the long term. The staff discussed this recommendation with the Y2K project manager and concluded from.these discussions that the Y2K project manager willbe addressing this recommendation.
Palo Verde management had also not officiallysigned the individual and integrated contingency plans at the time of the audit. The licensee plans to have a complete QA review and final plans approved and signed by management prior to June 30,1999.
5.
In the areas reviewed for the six classes of plant systems, the staff found the overall contingency plans to be consistent with the guidance in NEI/NUSMG 97-07 and NEI/NUSMG 98-07.
However, as previously stated, the audit team noted some instances of omitted information and editorial inconsistencies between some of these individual system contingency plans and the integrated contingency plan. The reviewers noted that these inconsistencies would have been identified by the. QA Organization had it been more involved during earlier stages of the development of Y2Kcontingency plans.
Nevertheless, the licensee plans to have a complete QA review before June 30, 1999, which would resolve these and other such inconsistencies.
6.
The Palo Verde Y2K Readiness Contingency Planning Program and associated detailed procedures for implementing the program at Palo Verde are considered to be adequate.
The licensee has a common Y2K project implementation plan which establishes the scope and control of the Y2K contingency planning at the Palo Verde nuclear plants. The Y2K contingency planning is comprehensive and incorporates the major elements of the nuclear power industry Y2Kguidance contained in NEI/NUSMG 97-07 and NEI/NUSMG 98-07.
The audit team found that the Y2K program is receiving. appropriate management support and oversight.
The project is well organized and adequately staffed. The schedule for completing the Y2K readiness contingency planning is tightly controlled, therefore the plants are expected to be ready by June 30, 1999.
5.0 CONCLUSION
On the basis of the results obtained during the NRC contingency audit, the staff concludes that the licensee's contingency planning activities are acceptable.
Attachments:
1.
List of Documents Reviewed 2.
List of Attendees at Entrance Meeting on May 18, 1999 3.
List of Attendees at Exit Meeting on May 20, 1999
0 Ol
LIST OF DOCUMENTS REVIEWED NAD/Region IV'UtilitiesY2KAudit: Doc. No. Audit Report 98-2000, dated December 18, 1998.
Palo Verde Y2K Description and Justification of Priority 1-4 Systems Requiring Remediation.
Palo Verde Y2K Project Record, Y2K-EQUIP-CM - EW: Plant Equipment Records.
Palo Verde Y2K Project Record, Y2K-EQUIP-GT: SBO Gas Turbine Generators (GTG).
Palo Verde Y2K Project Record, Y2K-EQUIP-SA: Diverse AuxiliaryFeedwater.Actuation System (DAFAS).
Palo Verde Y2K Project Record, Y2K-EQUIP-SB Core'Protection Calculators (CPC).
Palo Verde Y2K Project Record, Y2K-EQUIP-SD: Emergency Response Facility Data Acquisition and Display System (ERFDADS).
Palo Verde Y2K Project Record, Y2K-EQUIP-SK: Plant Security System (PSS).
Palo Verde'Y2K Results Summary.
Palo Verde Year 2000 Readiness Contingency Planning Guide.
Y2K-Integrated Contingency Plan, Rev. B, dated May 14, 1999.
Y2K Readiness Plan for Palo Verde Rev. 3, Doc. No. Y2K-ADMIN-01; Y2KTracker 2000 Database:
Doc. No. Y2K-ADMIN-05.
Year 200 Status of Palo Verde Switchyard (Salt Water River Project.Switchyard Certification Letter dated April 16, 1999).
ATTACHMENT.1
0 0
LIST OF ATTENDEES Entrance'Meeting - May 18, 1999 Daniel G. Marks R. Kirk Brewer G. R. Overbeck A. K. Krainik M. Sontag Bill Ide John H. Hesser Martin'Grissom Chuck Stevens Jim Moorman Jerry Mauck Mario Gareri Alvin Bryant Fred Swirbul Scott Bauer APS APS
,APS APS APS APS APS APS APS NRC NRC/NRR NRC/NRR NRC/NRR APS APS Nuclear Regulatory Affairs-Compliance, Section Leader Nuclear Regulatory Affairs-Licensing, Sr. Consultant Nuclear. Productions, Vice President
.Nuclear. Regulatory Affairs, Department Leader Nuclear Assurance, Section Leader Nuclear Engineering, Vice President
. Nuclear Engineering, Director Palo Verde Y2K Contingency Plan Coordinator Palo Verde Y2K Project Manager Senior Resident Inspector Electrical & Instrumentation and Controls Branch Electrical 8 Instrumentation and Controls Branch Electrical 8 Instlumentation and Controls Branch Palo Verde Y2K, Section Leader Nuclear Regulatory Affairs-Licensing, Section Leader ATlACHMENT2
LIST OF ATTENDEES Exit Meeting - May 20, 1999 Daniel G. Marks Scott. Bauer Martin Grissom R. Kirk Brewer Chuck Stevens E. J. Gouvier Alvin Bryant Mario Gareri Jerry Mauck Jim Moorman G. R. Overbeck Bill Ide APS APS APS APS APS APS NRC/NRR NRC/NRR NRC/NRR NRC APS APS Nuclear Regulatory Affairs-Compliance, Section Leader Nuclear Regulatory Affairs-Licensing, Section Leader Palo Verde Y2K Contingency Plan Coordinator Nuclear Regulatory Affairs-Licensing, Sr. Consultant Palo Verde Y2K Project Manager Design Engineering/Y2K, Sr. Electrical Engineer "Electrical & Instrumentation and Controls Branch Electrical 8 Instrumentation and Controls Branch Electrical 8 Instrumentation and Controls Branch Senior Resident Inspector Nuclear Productions, Vice President Nuclear Engineering, Vice President ATTACHMENT3
O.
e