Text

o CERTIFIED BY:

DATE ISSUED: 6/26/92 an. Carlyle Michelson - 10/31/92 OdiekM/7

SUMMARY

/ MINUTES OF THE JOINT MEETING OF THE ACRS 4 N! N SUBCOMMITTEES ON COMPUTERS IN NUCLEAR POWER PLANT OPERATIONS, AND ADVANCED BOILING WATER REACTORS MAY 5, 1992 BETHESDA, MARYLAND INTRODUCTION The ACRS Subcommittees on Computers in Nuclear Power Plant Operations and Advanced Boiling Water Reactors, held a joint meeting at 8:30 a.m.,

on Tuesday, May 5, 1992, in Room P-110, 7920 Norfolk Avenue, Bethesda, Maryland.

The purpose of the meeting was to discuss the control room design for the General Electric Company Advanced Boiling Water Reactor (ABWR).

The entire meeting was open to public attendance.

Mr.

Herman Alderman was the Cognizant ACRS Staff Engineer for this meeting.

A copy of the presentation schedule for the meeting, and a list of documents submitted to the Subcommittees are included in the Attachment.

ATTENDEES:

ACRS General Electric H.

Lewis, Chairman, Computers in M. A. Ross Nuclear Power Plant Operations B. H.

Simon Subcommittee J.

F. Quirk C. Michelson, Chairman, Advanced Boiling Water Reactors Subcommittee IEQ J.

Carroll F.

Coffman, RES I.

Catton J. Wermeil, NRR W.

Kerr S.

Newberry, NRR P.

Shewmon D.

Ward E. Wilkins C.

Wylie P.

Davis, Consultant W.

Lipinski, Consultant H. Alderman, Cognizant ACRS Staff Engineer 1

l I

t 140003 1

trac m t3 m c,,

9(

p 9304140123 921031 PDR ACRS

%,,,"?""

Ers 2817 PDR 3

{

(

Meeting Minutes 2

May 5, 1992 Chairman's Onenina Remarks i

Dr. Lewis noted that the meeting will be almost entirely about the control room design for the ABWR.

He said the reason it was a joint meeting was there were two issues that are running in j

parallel.

One is a general ACRS effort to review the subject of l

the use of computers in nuclear power plant operations.

The second is the ACRS effort to review the licensing issues associated with the certification of the General Electric Company (GE) ABWR design.

He said that the Subcommittees have received neither written comments nor requests for time to make oral statements from members i

of the public.

Presentations Ev GE Representatives t

Desian Development - Mr.

M.

A.

Ross. GE Mr. Ross, said that the primary design objectives of the ABWR are to:

Eliminate past problems of design issues e

Enhance public safety e

Enhance plant investment protection e

Enhance availability and maintainability e

Improve the man-machine interface design e

Adapt state-of-the-art technologies e

Utilize only proven designs.

e He said that specific goals were to eliminate plant trips or system i

unavailability due to a single human error or single instrument channel outage.

The burden on the operator is to be reduced through better human engineered interfaces and by giving the operator va.lidated information on system parameters.

Other goals are to reduce the burden on the maintenance staff by using self-diagnostic fault indication and simplifying maintenance service to make it less prone to error.

Mr. Ross discussed the project schedules for the Japanese ABWRs.

The first licensing application was submitted and approved in Japan in 1988.

The K/6 unit will be operational in 1996 and the K/7 unit will be operational in 1997.

For the K/6 unit, Toshiba will supply the main control room, and for the K/7 unit, Hitachi will supply the main control room.

The control room designs, the other man-machine interf ace designs, and the control and instrumentation designs are the same for both the K/6 and K/7 units.

Mr. Ross said the design objectives for the ABWR control room were organized into control center modules to maximize the simplicity of

l l

l Meeting Minutes 3

May 5, 1992 plant operation, to optimize the quality of data and the methods of data presentation, to improve the operator's response time and reduce the potential for operator error.

1 Mr. Michelson expressed a concern about valid but incorrect outputs i

not being recognized by the software as incorrect and handled as l

though they were correct.

Mr. Ross said the ABWR has two out of l

four logic across all safety functions.

Under the circumstance l

where one of these channels provides valid but incorrect data, the other three channels will provide valid and correct data.

The one channel of valid but incorrect data is clearly indicated to the operator and not processed through.

Mr. Ross discussed control room research and development activi-ties, including the following:

e Operator interviews - Operators were asked what they liked about control room designs and what they didn't like.

The things they liked were maintained in the control rooms.

The things they didn't like were considered for improvement.

i e

Evaluation of man-machine interface This provided an opportunity to improve the control room environment for the I

operator using the enhanced capabilities of digital technolo-gies.

Operator workload analyses - This was done to determine those e

types of periods that were a challenge to the operator and why.

Evaluation of automation - This is to determine how automation e

can be applied to improve the control room.

l e

Response of the system to unsets - The control room design must ensure that even during conditions where entire divi-sions, systems, or equipment have failed the plant should continue to operate in a safe manner.

Mr. Davis, ACRS consultant, asked if any thought was given during the operator workload analyses, to trying to improve operator i

complacency and boredom when things are going well?

Mr. Ross said l

they had considered that.

You don't want to provide an environment that promotes non-diligence or lulls a person to sleep.

However, it was felt that diligence is best handled by administrative control.

l Mr. Ross discussed the research and development efforts on control room staffing.

The impetus for this was a specific design objective being used by the Tokyo Electric Power Company.

They have as a part of their standard design, control rooms for dual l

1 e

t Meeting Minutes 4

l May 5, 1992 units.

Their current operating staff is nine.

GE investigated reducing the staff to seven.

The investigation was further refined as an evaluatian goal for a one-man operation.

The concept was, if a design can be developed that is easy enough to use by a single operator, then the normal design base of operators should be well satisfied.

The design base for the ABWR is to maintain the current staffing levels of a control room operating staff of four.

Mr. Ross said that they had evaluated alarm performance.

They looked at what caused operator saturation, how to suppress alarms, how to provide hierarchy to the alarms, different kinds of presentation methods, and the elimination of unnecessary alarms.

Mr. Ross discussed automated system response to equipment failure.

He said that assurance is needed that equipment failure didn't lead to unacceptable results, including what happens to automated functions during abnormal plant events beyond just plant failures.

Regarding the approach to automation, Mr. Ross said that it is based on system level sequence master control functions.

He cited the emergency core cooling system as an example.

The emergency

)

core cooling system is typically in a standby condition.

If it i

gets a trip action to initiate, it has to start the pump, measure pump discharge flow, and then when the discharge flow is high enough, open a discharge valve.

There is a sequence of predefined activities that the system goes through.

Systems that have a sequence of predefined activities were candidates for automation.

Tedious or repetitive operations such as control rod operation, or load following were identified for automation.

The operator is always in control.

The plant status is monitored, and when all the plant states are saticfied, and the automated control is about to proceed, the operator is advised that the plant states have been satisfied.

If the operator wishes, he can allow the automated sequence to proceed.

With regard to the actual control room design, Mr. Ross said that the main control console is the primary operator interf ace.

Behind the control console is the wide display panel that provides plant summary status for use by all the people in the control. room.

Across the face of the control console are dedicated function buttons.

Mr. Ross said that the Safety Parameter Display System requirement is satisfied by a fixed position display.

All of the critical point parameters are part of the fixed position display.

The category 1 post-accident monitoring parameters are on the fixed position display.

He noted that this is the instrumentation the operator normally uses during plant operation.

t Meeting Minutes 5

May 5, 1992 t

Mr. Ross discussed the semiautomatic mode of operation, the power generation control system (PGCS).

In the PGCS mode, the process computer is performing its function as in the automated mode of monitoring the plant's status, but instead of interacting with the operator to send the control commands to the individual systems, the PGCS is providing prompts to the operator.

Instead of the operator providing an "OK," the operator sends the command.

Dr. Wilkins asked if the operator is required to take action under the PGCS mode and if he fails to take such an action, what would be the consequences?

Mr. Ross said in that case the system would be placed on hold.

In response to a question by Mr. Ward regarding what human factors criteria were used in the control room design, Mr. Ross stated that the process was developed based on existing codes and standards on how to do human factors engineering.

Desian Certification - Mr.

M.

A.

Ross, GE Mr. Ross said the design certification of the ABWR control room may be categorized into three elements:

Definition of the design features and technologies that will provide an envelope of the implementations of the ABWR, which then provide a basis for all the implementations and the NRC performance reviews.

i e

Definition of a minimum set of fixed position displays, controls, and alarms.

This minimum set was based on evalua-tion of plant or operations following the symptom based i

emergency proceduro guidelines and some events that were identified through PRA to be sensitive to operator actions.

Definition of the requirements for the design implementation process.

This is done through the design acceptance criteria which are the basis of the implementation and the associated NRC review.

Mr.

Ross listed the standard control room features.

These included:

Single integrated control console e

Plant process computer system on-screen control video display o

units Control console dedicated function switches e

Operator selectable automation of pre-defined plant operation e

sequences Operator selectable semi-automated mode of plant operations e

Conventional manual mode of plant operations e

s Meeting Minutes 6

May 5, 1992 Fixed position display of key plant parameters and major equipment status on the large display panel Fixed position displays are independent of the plant process e

computer system Supervisors console with visual display units for monitoring e

of plant status.

Mr. Ross said that for each individual system, there are inspec-tions, tests, analyses, and acceptance criteria, on a system-by-system basis.

Each individual system has its own performance and interface requirements to be satisfied.

In addition to that, in the area of the control design, there are design acceptance criteria which control the process of implementation.

Mr. Michelson asked if there would be any more detailed design work

[

between the certification and the combined operating license?

Mr.

Ross said that the design effort may not proceed until after a COL is granted.

f f

Software Ouality Assurance - Mr.

B.

H.

Simon, GE Mr. Simon discussed briefly the software QA, with emphasis on specific control and instrumentation reliability issues and i

especially the reliability of safety-related software and the defenses against common-mode failures.

Software performance is measured against the performance of the formal specification documents which have been verified.

Valida-tion of the hardware / software integration is done after the hardware development.

Dr.

Lewis raised a concern regarding detection of incorrect software.

He asked how would this be detected?

Mr. Simon said that they have self-diagnostics for each of the controllers in the system.

Every microprocessor based device has built-in self-test capability.

Dr.

Lewis pointed out that a self-test simply tests normal functions under normal conditions.

He mentioned that you cannot cover the entire input space mapped against the output space.

Mr.

Simon agreed with Dr. Lewis.

He said that is why validation testing is performed.

This is done at the factory and then during installation and preoperations at the site.

Mr. Simon said one method of developing reliable software is by use of formal methods. He explained that formal methods use mathemati-cal proof of the correctness and the logic.

The formal methods are most useful if automated verification and validation (V&V) techniques are used along with it.

He.said that formal methods will'be used on all safety-related software.

1 l

I

Meeting Minutes 7

May 5, 1992 l

t In response to a question by Dr. Lewis as to how configuration l

control, i.e.,

changes in the program, will be handled; and will a j

complete V&V be needed, Mr. Simon said they would not have to go through the entire procedure.

He said they have a configuration control ITAAC that specifies the methods.

He said that you have to i

go through part of the V&V process each time you make a change.

l Dr. Wilkins said this is an area where formal methods might even l

have some value, because they might be able to automate, for example, a search through the entire program to see where this new l

line you are writing interacts with the rest of the program.

j Mr.

Simon said that proven technology is used for software i

development.

The compilers and any development tools need a proven l

history of development use, and software developed with those tools should have been in operation.

In addition, the microprocessor

[

]

operating system itself, which will be a simplified operating j-system, will be standardized for the particular microprocessor.

i i

With reference to a question raised by Mr. Michelson about valid j

but incorrect inputs arising from unusual, abnormal, and perhaps even catastrophic external events which cause the sensors to misbehave in an unfortunate way, Dr. Wilkins asked where or how i

this issue is addressed.

Mr. Simon said that they are addressed in

(

the structure of the system.

He cited the Engineered Safety l

Features systems.

The redundant sensors are confined to their 3

divisions, multiplexed to the setpoint comparator called digital

)

trip mode.

The data is exchanged among all divisions.

A two out i

1 of four comparison is performed in each division.

l j

1 Continuing his response to Dr. Wilkins, Mr. Simon said that a

]

failure of a sensor or multiple sensors within a division might

)

send a valid but incorrect signal, but there are redundant sensors 1

that are making the same comparison, and you need two out of the j

)

four to agree with each other before you get your trip output.

J 1

Mr. Michelson postulated a situation where the remote multiplexing j

unit (RMU) is located in a room, and for some reason the room heats up and the RMU, because of the heat, produces some " interesting" i

results.

Mr. Simon said~that no matter how interesting they are, the other three will produce valid results.

Mr. Michelson said that he thought the individual outputs were transmitted to the central multiplexing unit and then processed across all divisions as individual sensor outputs. He said that if you make your logic decision first, cross talk the logic decision, then there's no problem.

i Meeting Minutes 8

l May 5, 1992 i

Diversity Issue - Mr.

B. H.

Simon. GE Mr. Simon said this issue arose from a Lawrence Livermore National Laboratory (LLNL) study that was performed on the software safety of the GE digital protection system.

The concerns raised were that:

l l

e The operator does not have enough time to deal with an accident from the control room.

There is a lack of independent Class IE backup.

I The operator lacks independent system level control in the control room.

The specific concern is that the four divisions are similar not only in hardware but also in software.

The fear was that if all these software modules are actually identical in each division, then you have built in a line of code that would hang up all four divisions at the same time in the same state and prevent a trip that was required when an event occurred.

Mr. Simon presented the GE's response to these concerns:

The LLNL study assumed that both the essential and the non-e essential systems were identical.

They are not.

The four division multiplexing system is not the same as the triplicat-ed non-essential system.

They are different in hardware and software.

i 1

Information displays are available and many of them from non-e class IE sources.

Credit is claimed for the non-class IE l

backup.

j Continuously running systems, such as feedwater, provide e

normal operating control for the plant.

The operator knows they are working because they have been keeping the plant running.

The remote shutdown system provides the complete safe shutdown capability if there is a common-mode failure of all the multiplex signals.

i l

GE believes that the backup that is available from the non-safety systems gives the operator enough time to make a decision and get to the remote shutdown system.

Mr. Carroll said that if the multiplexed ECCS fails you are okay because you have the feedwater system.

Mr. Ross agreed.

Mr.

Carroll said that in the long term, you would have to go to the

e.

s Meeting Minutes 9

May 5, 1992 remote shutdown panel to deal with long term decay heat removal.

Mr. Ross said that uas true if the failure of the multiplexing system persists such that you can't control the ECCS from the control room.

He pointed out that you still have the capability of direct hardwired controls at the remote shutdown system.

Mr. Simon said the probability of the multiplex single type of common-mode failure is less than shown in the LLNL study.

The study assumed that all blocks that looked alike would fail identically. He said that when you look at more detail,- you should not have everything disabled with any single type of common-mode failure.

He said that we don't want to add in multiple common-mode failures to this analysis because we don't want to get too incredible.

Dr. Kerr asked whether GE believes that the common-mode failure postulated has such low probability that it could be ignored.

Mr.

Simon said that is our thesis.

Mr. Simon said that if you accept the common-mode failure, there are backup measures to alleviate the problem.

He cited the example of steam line break outside containment.

Many different types of common-mode failures were studied in depth.

Failure of the sensors were covered by the other diverse sensors that are within the design.

The worst type of common-mode failure is the failure of the microprocessor processing devices.

The worst failure of this type is the failure of the entire multiplexing system.

He pointed out that the non-essential multiplexing is a backup to the essential multiplexing.

The non-essential multiplexing is part of a completely different triplicated fault tolerant design.

Mr.

Simon said that for several functions there are manual, completely hardwired controls.

These include scram, alternate rod insertion, and main steam isolation valve closure.

Mr. Simon said that the GE's position on diversity is that it has adequate diversity within the system.

Many of the failures postulated by the LLNL study are so negligible that more diversity is not needed.

Mr. Newberry, NRR, discussed the staff position on diversity.

He said that they need a basis for what is required in the control room.

They have asked GE to_look at some instrumentation in the control room that could provide some broader displays.

The staff has not taken a position to bring the remote shutdown panel into the control room.

l a

Meeting Minutes 10

{

May 5, 1992 Subcommittee Action f

I The subcommittees decided to continue these discussions at future i

meetings.

Actions. Acreements. Assianments There were no actions, agreements, or assignments as a result of this meeting.

The meeting was adjourned at 2:42 p.m.

)

l 1

l l

l

ATTACHMENT A

]

DOCUMENTS PROVIDED TO THE SUBCOMMITTEES i

i 1.

Presentation Schedule t

i 2.

Status Report, dated April 21, 1992 i

3.

Advanced Reactor Programs - ABWR Control Room Design GL l

Nuclear ENERGY, undated r

4.

Presentation materials provided during the meeting.

l i

p a

I t

I r

1 I

J

?

[

I i

i i

l l

f f-e w

6:

.I ATLM2EENT B i

i i

FINAL BGENDA (Morning Session) e ACRS JOINT SUBCOMMITTEE MEETING ON THE ABWR i

CONTROL ROOM DESIGN

-l MAY 5, 1992, ROOM P-110

(

PHILLIPS BUILDING BETHESDA, MARYLAND I

8:30 a.m. Introductory Remarks H. Lewis

)

i Control Room Design e

8:40 a.m. ABWR Control Room Development M.

A.

Ross GE 9:40 a.m. ABWR Control Room Design M. A. Ross GE 10:40 a.m.

'*** BREAK ****

11:00 a.m. Design Certification M. A.-Ross GE 12 Noon

• • • • LUNCH ****

i C&I Design e

l 1:00 p.m. Software Quality B. H. Simon GE 1:20 p.m. Software Verification and-Validation Process B. H. Simon GE.

i i

1:40 p.m. Digital Protection System Reliability B. H. Simon GE l

2:00 p.m. Defense-in-Depth and Diversity B. H. Simon GE Simplicity and modularity of e

software design and hardware configuration Non-Class 1E Backup Protection e

2:30 p.m. Adjourn P

-!