ML19337A432
| ML19337A432 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 09/15/1980 |
| From: | Hamilton W, Keaten R METROPOLITAN EDISON CO. |
| To: | |
| Shared Package | |
| ML19332B231 | List: |
| References | |
| ISSUANCES-SP, NUDOCS 8009260421 | |
| Download: ML19337A432 (18) | |
Text
/k
-e,,
(
c 8(a D,,: '
WTED CORRESPONDh'a f-
~
k a
LIC 9/15/80
~
~
UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION BEFORE THE ATOMIC SAFETY AND LICENSING BOARD In the Matter of
)
)
METROPOLITAN EDISON COMPANY
)
Docket No. 50-289
)
(Restart)
(Three Mile Island Nuclear
)
Station, Unit No. 1)
)
LICENSEE'S TESTIMONY OF WILLIAM P.
HAMILTON AND ROBERT W.
KEATEN IN RESPONSE TO SHOLLY CONTENTION NO. 13 AND ECNP CONTENTION NO. 1(a)
(COMPUTER) 8'009260N *\\
e
OUTLINE The purposes and objectives of this testimony are to respond to Sholly Contention 13 and ECNP Contention 1(a), each of which challenges the adequacy of the plant's computer system.
The testimony shows that, contrary to the assumption in the contentions, the computer performs no safety or control functions and that it is not required for the safe start-up, operation or shut-down of the plant.
Rather, the computer is designed as a convenient tool for plant operators and fuel management engineers.
The plant meets the current General Design Criterion 13 through the hard-wired, primary plant instrumentation and control systems upon which the operator relies for, among other things, "real time" information.
Nevertheless, Licensee has installed improved alarm printers and is developing an upgraded computer capability to aid the operators.
l INTRODUCTION This testimony, by Mr. William P. Hamilton, GPU Manager of Process Computer Section, and Mr. Robert W.
Keaten, GPU Manager of Systems Engineering, is addressed to the following conten-tions:
SHOLLY CONTENTION NO. 13 It is contended that the Unit 1 computer system does not meet the requirements for instrumentation and control specified in GDC 13, and is inadequate to insure proper operation of the Unit 1 reactor under all conditions of normal operation, including anticipated opera-tional occurrences and postulated accident conditions.
It is further contended that the lack of real-time printout capability during accident conditions and the lack of sufficient redundancy in the computer system place the public health and safety at significant risk during accident conditicas, especially if computer function is lost and no back-up unit is available.
It is contended that until the Unit 1 computer system is upgraded to meet the standards of GDC 13 and until suitable redun-dancy is provided within the computer system to assure real-time printout capability at all times, permission for restart must be denied on the basis of risk to public health and safety due to inadequate availability of operational information to' Unit 1 operators.
ECNP CONTENTION NO. 1(a)
The plant computer for TMI-l is old,
obsolete, and inadequate to respond appropri-ately in emergency situations.
During the accident at the adj acent TMI-2, the alarm printer on the similar computer at Unit 2 had a delay time of over two and one-half hours at one
point, and ran more than an hour behind events 1
for over seven hours.
This delay cannot be viewed as having adequately served the needs of the operators of TMI-2, and there is no reason to believe that a similar accident situation, with as severe or worse consequences, cannot occur at TMI-1 and be severely aggravated by slow and ambiguous computer alarm printer readings.
RESPONSE TO CONTENTIONS BY WITNESSES HAMILTON AND KEATEN:
i Contrary to these contentions, the plant computer system at TMI-1 was designed as an adj unct to the primary plant instrumentation and is not required for safe start-up, opera-tion and shut-down of the plant.
Licensee has designed TMI-1
. to provide dedicated, hard wired instrumentation and control l
systems on the control boards.
The TMI-l computer is not I
designed or intended to supplant these hard wired instruments and controls.
In fact, total isolation is maintained between j
the control room instrumentation and the computer system to insure that no activity in the computer system can affect or distort the other hard wired indications available to the operator.
The current General Design Criterion (GDC) 13, Appendix A to 10 CFR Part 50, dated July 15, 1971, requires that
" Instrumentation and control shall be provided to monitor variables and systems over their an ticipa ted ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety.
TMI Unit 1 was designed and constructed in accordance with the 70 general design criteria as listed in 10CFR50, Appendix A dated July 11, 1967.
(This 1967 version of the GDC, however, contains similar requirements to GDC 13 of the 1971 version.)
TMI-l FSAR, Section 1.4, contains a discussion of TMI-l compliance with the 1967 GDC.
The requirements for instru-mentation and control for the plant specified in GDC 13 are met by the hard-wired, safety-grade instrumentation in the control room.
The TMI-l computer system is designed only as a tool fo r the operators and the fuel management engineers.
It makes available to the operator on a convenient basis or on demand the status of individual plant parameters and certain cal-culated values, such as heat balance, power level and power tilt, and imbalance which can affect the efficient performance of the plant.
In all cases where there is any effect on the safe operation of the plant, alternate instrumentation or manual procedures are provided to ensure safe operation should the computer system not be available.
Consistent with its role, computer system console displays and printed records are not located on the main control boards but rather are located behind the operators' primary station l _
during plant manipulations.
The operator is alerted by an audible signal when the computer system is recording alarms but his attention is directed to the unobstructed view of the hard wired instruments and controls on the main control boards.
For an overview of the plant status, a second control room operator or shift supervisor can review the computer outputs or inter-rogate the computer for additional information while not interfering with the reactor operator's view or actions.
Periodically the core performance data is output from the computer system to magnetic tape to provide the input for the long-term fuel management model.
The periodic core performance data is kept in an off-site system and provides the long-term data base for determining fuel performance and refueling re-quirements.
The computer system performs no control or safety func-tions.
The Integrated (Analog) Control System (ICS) and the Engineered Safeguard System (ESS) are totally independent from the Plant Computer System.
The status of these systems (ICS and ESS) is monitored by the computer system as well as being displayed on the hard wired annunciators.
The availability of the plant computers for both TMI-l and TMI-2 has been very high, averaging nearly 100% during the start-up and operation of the units.
Continuously during and following the accident on TMI-2, the computer system was available for the operator's ure in calling up current I
-M
information.
It was used frequently to monitor particular plant variables (i.e., drain tank temperature, in-core ther-mocouple readings, etc.) and performed this function accu-rately, reliably and timely.
It continues to be used in this manner and performs satisfactorily all of those functions for which it was designed.
The CRT on the operators' console is available for displaying current alarms if the operator desires.
The operators did not choose to use this function during the accident.
The TMI-l and TMI-2 plant computer systems are designed to record alarm conditions as they occur in the plant.
They are also designed to print the alarm records on IBt! Selectric printers at the speed of the printers.
The operator does not use the printed output for operating directions, but rather as an af ter-the-fact record of the plant activity.
When alarms occur at a rate faster than the printer can respond, they are stacked up in the computer buffer memory and output as the printer allows.
It is recognized that, regardless of the printer capability, the printed record will always be lagging; the extent of the lag will be dependent on number and rate that the alarms occur.
The system can and does record the alarmed points in the computer buffer memory about 200 times faster (one point every twelve and one-half milliseconds) than the Selectric printers can print.
There is never a lag, however,
in the recording of the alarm data in the buffer memory.
1. - _ _
It is also recognized that the electroa chanical mechanism in the Selectric printers is vulnerable to paper characteris-tics, environment changes and wear from high usage.
The Selectric alarm printers originally on the TMI-l computer system have been replaced with higher speed printers that are less susceptible to these mechanical failures.
These printers have fewer moving parts resulting in more reliable printing and at the same time reducing the alarm printer lag during a time of high alarm activity in the plant by approximately a factor of 2 over the Selectrics.
As we stated earlier, the adequacy of the computer system to insure proper operations of the reactor is not relevant since other instrumentation (hard wired) is provided fo r this purpose.
Computer functions, however, may be helpful to the operator during or following a plant transient, e.g., the reactimeter function that was used extensively af ter the TMI-2 accident to reconstruct the timing and events that occurred 1
during the accident.
Experience has shown that additional computer functions to aid the operator and the engingeers in analyzing plant data are useful.
These include better operator d isplays, improved data retrieval and additional trend ing capability.
However, this improved computer capability does not (and cannot) displace the role of the other instru-mentation, control and safety systems.
Part of the attraction to improved computer system capability stems from the fact that computer development in the i
past few years (after the TMI computer systems were purchased) have made available greatly enhanced computer system features.
For example, higher speed and larger internal memories, improved printers, mass memories and CRT displays are now available.
Met-Ed initiated a computer upgrading development program for the TMI computer systems several years before the TMI-2 accident.
This program was intended to be carried out in three phases.
The first phase was the installatioa, in parallel with the existing computer system on TMI-1, of a Mod Comp IV Com-puter System with peripherals to provide the enhanced computer i
system hardwarc for development of the sof tware in the later l
two phases.
Software was included in Phase I to provide an extended version of the functions performed by the B&W "reactimeter".
(This provides for the high speed storage and retrieval of data for 112 analog and 112 digital inputs from the plant -- the B&W reactimeter used during the accident on TMI-2 has a total of 24 inputs.)
Phase II was to be the development of sof tware to allow the Mod Comp system to perform the primary functions of (except operator communication),
and act as a back-up to, the existing plant computer system.
Phase III was the extension of sof tware development to provide enhanced operator communicaton facilities, removal of the l
l original computer system and addition of redundant Mod Comp componen ts.
At the time of the TMI-2 accident, this development program on TMI-1 had advanced cyproximately 50% through Phase II with the high-speed storage and retrieval system, reactivity function, high-speed input / output and the NSS calculations operational on the Mod Camp system.
The initial steps to install a similar system on TMI-2 were underway at the time of the accident.
Since the TMI-2 accident, the Mod Comp development program has been expedited.
Studies are presently underway to deter-mine if additional computer functions can be implemented to aid the operators during a plant transient.
The Mod Comp development effort will continue after the TMI-l restart to implement all of the functions originally planned plus the additional functions expected to come from these studies.
In summation, while the TMI-l computer system does not meet GDC 13, it should not be required to be upgraded to CDC 13, since GDC 13 is complied with by other means.
Similarly, hard wired instrumentation provides "real-time" information during normal, transient and accident conditions; it is not the intent of the computer to per fo rm this function.
There are no deficiencies in the TMI-l computer tha t resul t in an unaccept-able risk to the public health and safety due to inadequate availability of operational information to Unit 1 operators.
i 1 i
l
.. =.
l I
IL i
Licensee nevertheless has been and is actively involved, on its
{
own initiative, in improving computer capability as an aid i
to plant operators.
i 4 -
r I
I t
1 4
i i
i 4
f
'.{
i i
's i
1 1
i i t i
-.m.
.___.m._.-,.___..-_
WILLIAM P.
HAMILTON Business Address:
GPU Service Corporation Interpace Building 100 Interpace Parkway Parsippany, New Jersey 07054 Education:
B.S., Physics, Allegheny College, 1953.
Certificate, Watson School (IBM 650 Computer), Columbia University, 1955.
Post-graduate courses, Computer Logic and Programming,. Moore School, University of Pennsylvania, 1955 to 1960.
Experience:
Process Computer System Manager, GPU Service Corporation, 1975 to present.
Administrative and technical responsi-bility for the specification, design, procurement, proa r amming, testing, installation and upgrading of generating plant real time computer systems.
Principal Engineer, Plant Process Computer Systems, GPU Service Corporation, 1971 to 1975.
Project Engineering responsibility for the design, procurement, programming, testing and installation of all GPU system real time computer systems.
Development of a generic specification for GPU Generating Plant Computer Systems.
Information Systems Coordinator, GPU Service Corporation, 1969 to 1971.
Engineering and coordination of nuclear and fossil generating plant computer systems.
Factory and field testing of the BMC 855 computer system for Three Mile Island Nuclear Station and upgrading of the Keytone/Conemaugh plant computer systems.
Manufacturing Manager, Digital Equipment Division, Leeds & Northrup Co., 1968 to 1969.
Administra tive responsibility for the engineering, manufacturing, inventory control, assembly and testing or digital equipment and systems.
Project Manager, Computer Control Systems, Leeds & Northrup Co.,
1964 to 1966.
Responsibility for the hardware and software development of the LN 4000 DDC & DDAC system incorporating a SDS 920 digital ccmputer.
Head, Digital System Engineering, Leeds & Northrup Co.,
1962 to 1968.
Administrative and technical responsi-bility for design, programming, testing and installation of digital data legging and computing systems for process control.
Group Chief, Digital Equipment Group, Leeds & Northrup Co., 1958 to 1962.
Supervision of the design and con-struction of digital components and systems for the generation and dispatch of electric power.
Coordination with Philco Corp. -
Transac Division for the development of the LN 3000 process computer system.
Staff Electrical Engineer, Leeds &
Northrup Co., 1953 to 1958.
Engineering design, testing and installation of analog and digital process monitoring equipment.
Liaison engineer for joint development between Leeds & Northrup Co. and Burroughs Corp. for a general purpose computer for process control.
Honors and Professional Affiliations:
One patent issued in 1968, " Common Mode Noise Suppressor for Low Level Analog Input Systems." l
Presently member of IEEE with active membership on the Plant Process Computer Applications working group.
Presently member of EEI, Engineering and Technical Computer System Committee; formerly chairman of the Generating Plant Process Computer Applications Subcommittee.
Publications:
"High Speed Alarm Monitoring System for Power Plants," IEEE.
" Management Summary of Process Computer System," SAMA.
I ROBERT W.
KEATEN Business Address:
GPU Service Corporation 100 Interpace Parkway Parsippany, New Jersey 07054 Education:
B.S., Physics, Yale University, 1957.
Post-Graduate and Professional Courses in Mathematics, Engineering and Business, UCLA, 1960-1972.
Experience:
Manager, Systems Engineering Depart-ment, GPU Service Corporation, April 1978 to present.
Responsible for the development and application of specialized analytical skills in such areas as nuclear core reloads and fuel management; plant dynamic and safety analysis; system generating plant process computers; control and safety systems analysis, and analysis of plant operating performance for t
nuclear and fossil plants.
Served as Deputy Director of Technical Support at Three Mile Island during the post-accident period.
Program Manager, Light Metal Fast Breeder Reactor Technology, Atomics International Division of Rockwell International, 1974 to 1978.
Managed research and development programs per formed for U.S.
Eepartment of i
Energy, including programs in reactor physics, safety and component development.
l Manager of Systems Engineering, Light Metal Fast Breeder Reactor Program, Atomics Inter tational Division of Rockwell L7ternational, 1968 to 1974.
Responsible for performance of safety analyses, development of safety criteria and development of instru-mentation, control and safety systems design.
l I
American Pepresentative to the OECD Halden Reactor Project in Norway, 1965-1968.
Participated in research on nuclear fuel performance, appli-cation of digital computers to nuclear reactors, and on development and application of in-core instru-mentation.
Supervisor of Engineering, Sodium Reactor Experiment, Atomics International, Division of Rockwell International, 1962-1965.
Responsibilities included analysis and measurement of the nuclear heat transfer and hydraulic parameters of the reactor core and process systems; specification and installation of nuclear and process instrumentation; design and installation of new control systems.
Senior Physicist, Sodium Reactor Experiment, Atomics International, Division of Rockwell International, 1959-1962.
Performed measurements and analyses of the nuclear and thermal parameters of the reactor.
Experimental Physics Group, DuPont Savannah River Plant, 1957-1959.
Performed measurements and calcula-tions of the nuclear parameters of the reactor lattices.
Honors and Professional Affiliations:
Member of the Nuclear Power Plant Standards Steering Committee of the American Nuclear Society.
Member and pas' Chairman of the LMFER Design Criteria (ANS-54) Standards Committee of the American Nuclear Society.
Registered Professional Engineer (Nuclear Engineering), California.
Publications:
" Analysis of TMI-2 Sequence of Events Operator Response," presented to a special session of the American Nuclear Society Conference, San Francisco, November 1979; and to Edison Electric Institute Conference, Cleveland, October 1979.
"The Role of Instrumentation in the TMI-2 Accident," presented at the American Nuclear Society Conference, June 1980.
Safety and Environmental Aspects of Liquid Metal Fast Breeder Reactors" 35th Annual American Power Conference, Chicago, Ill., May 1973.
" Safety Aspects of the Design of Heat Transfer Systems in LMFBR's" International Conference on Engineering of Fast Reactors for Safe and Reliable Cperation, Karlsruhe, Germany, Cetober 1972.
" Safety Criteria and Design for an FBR Demonstration Plant," ASME Nuclear Engineering Conference at Falo Alto, Calif., March 1971.
" Evaluation of Thermocouples for Detecting Fuel Assembly Blockage in LMFBR's," American Nuclear Society Annual Meeting, Los Angeles, California, June 1970.
" A Mathematical Model Describing the Static and Dynamic Instability of the SRE Core II," Reactor Kinetics and Control, AEC Symposium Series 2.
( Also published as NAA-SR-84 31. )
" Reactivity Calculations and Measurements at the SRE, " ANS Topical Meeting:
Nuclear Performance of Power-Reactor Cores, September 1963.
" Measurement of Dynamic Temperature Coefficients by Forced Oscillations in Coolant Fl o w, " Trans-Amer ican Nuclear Society 5, No. 1, June 1962..
e
" Analysis of Power Ramp Measurements with an Analog Computer," Trans-American Nuclear Scciety 5, No. 1, June 1962.
" Reflected Reactor Kinetics,"
NAA-SR-7263.
Many other reports covering analytical and experimental work.
l i
I _ _ _ - _
. _.