ML20035H045
| ML20035H045 | |
| Person / Time | |
|---|---|
| Site: | 05200001 |
| Issue date: | 04/27/1993 |
| From: | Poslusny C Office of Nuclear Reactor Regulation |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| NUDOCS 9305030021 | |
| Download: ML20035H045 (70) | |
Text
..
c6c Yf&
g oc 8
o UNITED STATES
[
NUCLEAR REGULATORY COMMISSION f
.E WASHING f 0N. D. C. 20S55 ist g
.b..+
April 27, 1993 Docket No.52-001 APPLICANT: GE Nuclear Energy (GE)
PROJECT:
Advanced Boiling Water Reactor (ABWR)
SUBJECT:
MEETING
SUMMARY
OF MARCH 31, 1993 A meeting was held between GE and the Nuclear Regulatory Commission (NRC) staff on March 31, 1993, in Rockville, Maryland. The purpose of the meeting was primarily to discuss the status of the review for the areas of probabilis-tic risk assessment (PRA) and severe accident closure. is a list of those who attended the meeting, and Enclosure 2 is the agenda which was followed.
t The following is a summary of the highlights of the discussion topics addressed during the meeting.
Status of Unresolved Items Human Factors Issues 1.
Minimum Inventory of Controls, Alarms, and Displays (CA&Ds)
This issue dealt with the staff request to include the minimum inventory of CA&Ds in Tier 1.
GE's position was that it wanted only to include the items in Tier 2 to provide flexibility to the combined license (COL) applicant when the design process was implemented. This flexibility would preclude maintaining a particular display in the design which was found to be unnecessary by the process. The staff emphasized that it was necessary to include in Tier 1 the inventory of fixed CA&Ds which would probably be located on the large display board in the control room, thereby ensuring that the necessary and sufficient information and control capability would be available for the operators to execute the emergency operating proce-dures following a transient or accident.
GE agreed to review its inventory, propose the list to be included in Tier 1, and provide the criteria used to develop the minimum set of CA&Ds.
The staff agreed to conduct further discussions to reach agreement on the selection of what items will be fixed.
2.
Scope of Human Factors Engineering (HFE) Design This issue dealt with the HFE design relative to maintenance and testing activities in the control room. The staff had stated in an earlier meeting that GE's design process did not include an interface for mainte-nance and testing conducted in any area of the control room.
GE stated that any testing and maintenance activities which affect the operation f 9305030021 930427 U
'm h
fDR ADOCK.0520 1
ii s
'\\
i April 27, 1993 the plant are accounted for-in the design process; however, such activ1-ties in the control room which are independent of the operation of the plant are not part of the HFE design scope. The staff indicated that this was acceptable, and will work with GE to develop acceptable wording in the design description and inspections, tests, analyses, and acceptance criteria (ITAAC)/ design acceptance criteria.
3.
Operating Experience Review This issue dealt with the f act that the staff's HFE program review model includes an element for an operating experience review for any new t
technologies not described in the ABWR standard safety analysis report l
(SSAR) and for the integration of the control room design as a whole. GE indicated that, in its opinion, the design process for the ABWR control room would automatically incorporate lessons learned from existing designs at the time, without having to specifically identify this experience review requirement, and questioned the value of adding it.
The staff stated that significant value and insight can be gained, and the commit'-
ment is needed to support the staff's safety finding., a summary of the staff's position on the issue, was provided to GE during the meeting, and GE was requested to provide in writing a commitment for the C01. applicant to include an operating experience review as an element in the control room design process.
l ABWR Open item Status The staff provided handouts and discussed the status of the resolution of draft final safety evaluation report (DFSER) open issues and a summary of the key activities in the resolution process (Enclosures 4, 5, and 6),
t Status of Significant Review Issues The staff provided a brief summary of the status of the structural and seismic design review (Enclosure 7), the electrical design issue status (Enclosure B),
i the status of the instrumentation and controls issues (Enclosure 9), and the status of piping issues (Enclosure 10). A significant observation was made that these areas were potential critical path items in the recent past but l
currently have reached a point in the review where closure of all issues can be achieved in the near term.
Severe Accident Closure l
The staff discussed the current status of the review, as indicated in Enclo-sure 11. Specific comments of note included:
1.
GE should meet with the staff to discuss control of pH in the suppression I
pool.
i f
2.
The staff is still waiting for GE's submittal on containment bypass and i
the effect of sprays.
3.
The containment ultimate pressure submittal needs to be augmented, j
s 4.
The containment sump submittal needs more detail or an ITAAC should be provided.
I s
. April 27, 1993 i
a 5.
The staff requested that GE support a technical meeting to discuss the content, format, and schedule for all submittals needed to close out all severe accident issues in the near future.
Probabilistic Risk Assessment The staff presented the status of outstanding issues (Enclosure 12), and GE presented a description of GE action on the issues (Enclosures 13 and 14).
Specific comments of note included:
i 1.
Of the 14 outstanding items from the last meeting with the staff, 10 remain open, with paths to resolution identified and agreed upon.
2.
Four new minor issues have been identified and are being worked.
3.
The staff and GE should consider a joint PRA and severe accident meeting in the near future.
4.
The Office of fluclear Reactor Regulation (!1RR) management indicated that it wants a date for the first draft of the final safety evaluation report from the staff and a commitment from GE on the date for the PRA in the SSAR package.
GE indicated that it expected most of the SSAR revisions to be provided to the staff by the first of liay.
5.
The staff identified that it was informed by GE that the emergency core cooling system pumps could function at temperatures up to the opening of the containment overpressure system.
Subsequently, GE stated that only i
the residual heat removal pumps were qualified for pumping water at temperatures in excess of 212 'F.
GE is evaluating the need for pump operation at temperatures beyond the current design bases.
Both GE and the staff need to discuss this further.
(Original signed by)
Chester Poslusny, Project fianager Standardization Project Directorate Associate Directorate for Advanced Reactors and License Renewal Office of fluclear Reactor Regulation
Enclosures:
As stated cc w/ enclosures:
See next page DISTRIBUTIOf1 w/ enclosures:
Docket File PDST R/F CPoslusny DCrutchfield PDR PShea DISTRIBUTIO!1 w/o enclosures:
RDube, 9D24 PlicKee, 9D24 ACRS (11)
Silinh filialloy liiurley/Fliiraglia CGoodman, 10D24 DTang, 11H23 RBorchardt Jf1Wil son RBarrett, 8H7 WBeckner,10E4 GKelly, 10E4 J!ionninger, 8H7 WRussell, 12G18 RGallo, 10D22 AThadani, BE2 REckenrode, 10024 LShao, RES BHardin, RES J0'Brien, RES AEl-Bassioni, 10E4
~4. KaWM A 4 $
Pli:Pb: ADAR Sh:p]$.
0 OFC:
LA:PDST:A P" [
SCSB SPSB
/
PD T:ADAR f1Af4E: PShe i
r ode RfMrrett AEl-Bassioni CPoslusny:tz Jl1 Wilson DATE: 04 5 7/93 04/ /93 04h7/93 04/gt /93 04/p/93 0
AL RECORD 0PY:
3315U!i.CP
i GE Nuclear Energy Docket No.52-001 cc: Mr. Patrick W. Marriott, Manager Mr. Joseph Quirk i
Licensing & Consulting Services GE Nuclear Energy i
GE Nuclear Energy General Electric Company 175 Curtner Avenue 175 Curtner Avenue, Mail Code 782 San Jose, California 95125 San Jose, California 95125 l
Mr. Robert Mitchell General Electric Company i
175 Curtner Avenue San Jose, California 95125 Mr. L. Gifford, Program Manager i
Regulatory Programs
.t GE Nuclear Energy 12300 Twinbrook Parkway
(
Suite 315 Rockville, Maryland 20852 Director, Criteria & Standards Division f
Office of Radiation Programs U. S. Environmental Protection Agency 401 M Street, S.W.
t Washington, D.C.
20460 I
Mr. Sterling Franks U. S. Department of Energy NE-42 Washington, D.C.
0585 Mr. Steve Goldberg Budget Examiner 725 17th Street, N.W.
'j Room 8002 Washington, D.C.
20503 i
Mr. Frank A. Ross U.S. Department of Energy, NE-42 Office of LWR Safety and Technology 19901 Germantown Road i
Germantown, Maryland 20874 Mr. Raymond Ng 1776 Eye Street, N.W.
Suite 300 Washington, D.C.
20006 i
l Marcus A. Rowden, Esq.
Fried, Frank, Harris, Shriver & Jacobson 1001 Pennsylvania Avenue, N.W.
[
Suite 800 Washington, D.C.
20004 Jay M. Gutierrez, Esq.
Newman & Holtzinger, P.C.
{
1615 L Street, N.W.
Suite 1000
[
Washington, D.C.
20036 i
ABWR MEETING ATTENDEES MARCH 31, 1993 i
NAME AFFILIATION t
David Tang NRR/ADAR l
Clare Goodman NRR/DRCH Melinda Malloy NRR/PDST R. W. Borchardt NRR/PDST l
Dennis Crutchfield NRR/ADAR j
Michael T. Janus NRR/PDST Richard Barrett NRR/DSSA W. Beckner NRR/DSSA l
Glenn Kelly NRR/DSSA I
John D. Monninger NRR/DSSA Tom Murley NRR R. M. Gallo NRR I
Ashok Thadani NRR Richard Eckenrode NRR/HHFB Jerry Wilson NRR/PDST Chet Poslusny HRR/PDST l
Jack Duncan GE M. A. Ross GE Joe Quirk GE Alan Beard GE i
k
~!
i i
I i
j l
AGENDA FOR ABWR SENIOR MANAGEMENT MEETING MARCH 31, 1993 ONE WHITE FLINT NORTH BUILDING i
ROOM 12-B-11 1:00 P.M. - 5:00 P.M.
e INTRODUCTION (STAFF /GE) e STATUS OF DFSER UNRESOLVED ITEMS (STAFF /GE)
SEVERE ACCIDENT CLOSURE ACRS ISSUES (STAFF /GE)
STATUS OF DESIGN AND TIER 1 REVIEW (STAFF)
OUTSTANDING ITEMS (STAFF /GE)
SUBMITTAL SCHEDULE (GE)
CLOSURE SCHEDULE (STAFF) e PROBABILISTIC RISK ASSESSMENT 1
STATUS OF GE " PUNCH LIST" (GE)
STATUS OF REVIEW AND ISSUE CLOSURE (STAFF)
I e
CONCLUSION (STAFF /GE)
4 The Imporiance of Operating Experience Review in Advanced Reactor Human Factors Engineering 1.0 Statement of the Problem he Operating Experience Review (OER) was defined in the NRC HFE Program Review Model as one of eight fundamental elements of a human factors engineering (HFE) program. An OER contributes, along with other HFE program elements, to the successful integration of plant personnel and systems, thereby supporting public health and safety. General Electric (GE) has not included an OER as part of the HFE program in either the Certified Design Description / Inspection, Test, Analysis and Acceptance Criteria (ITAAC)/ Design Acceptance Criteria (DAC), (Tier 1) or the ABWR SSAR (Tier 2 - Chapter 18 Appendix E). NRC reviewers have identified this deficiency as DFSER Open Issue 18.9.2.2.1-1. GE has stated that an OER is not necessary in an HFE program if design guidance is available for the specific technologies proposed in the design. Rus, in lieu of an OER, GE has identified a list of specific technologies to be incorporated into the ABWR human-system interface (HSI). Rese are presented in e
SSAR Section 18.4.3.
It is the opinion of the reviewers that such an approach is not an acceptable substitute for the performance of a comprehensive OER. He purpose of this paper is to explain why the reviewers find the GE approach unacceptable. A detailed example of an OER and its potential effect on the design process is attached to this paper and addresses alarm systems. Following a brief background section, this paper will address the following four points.
1.
The OER contributes to the HFE design process and issue identification and resolution in many ways beyond equipment selection and design. In fact, equipment selection and design is only one small application of OER. In Section 3, the role of OER with respect to HFE reviews will be elaborated. The results of OER provide input to many important HFE design activities and provide the technical basis for safety determinations of key HFE milestones in an HFE program. OER is a key component to the identification and resolution of safety issues.
l 2.
The technical basis for requiring OER in an HFE program is founded in accepted industry practices. In Section 4, OER will be discussed with respect to regulation (10 CFR), NRC review guidance documents, current international principles for safety, current nuclear industry standards, and general standards for the design of complex systems. (For example, OER is required in 10 CFR 50.34 (f)(3)(i), OER is one of the IAEA's
- Basic Safety Principles"; and a complete OER is one of EPRI's ALWR requirements for the design of evolutionary and passive reactors).
3.
As indicated above, GE has proposed the use of a general list of technologies in place of an OER. However, the technologies listed are not specified at a level of detail that would provide control room designers with the necessary human factors guidance to make judgements regarding the adequacy and completeness of HFE effort (see Section 5 below). For example, in SSAR Section 18.4.3, alarm features are described in terms of
- fixed position alarm tiles which use light to indicate the alarm state" and an ' audio signal system which is coordinated with the fixed-position alarm tiles and utilized prioritization and alarm reduction logic and predefined set points to alert operators to plant changes." His proposed approach is inadequate because it fails to: (1) recognize
)
the significant issues associated with meeting the functional requirements of an alarm system design, (2) identify the HFE issues associated with advanced alarm system design, and (3) integrate with conventional alarm system characteristics. (An attached 1
b example addresses alarm system OER).
r 4.
The conduct of OERs by ABB/CE and Westinghouse for the System 80+ and AP600 designs respectively, has provided important issues which have been or will >e addressed as part of the their HFE programs. His is discussed in Section 6.
2.0 Background
An important issue which emerged from the initial human factors engineering (HFE) design reviews under the certification process was that detailed HSI design information was not available for staff l
review as part of the design certification evaluation. Historically, the staff has reviewed detailed plant designs prior to making a safety determination. However, because of continually changing technology, I
much of the HSI design will not be completed prior to the issuance of a design certification. To compensate for the lack of design detail, the NRC is performing the design certification evaluation based in part on a design implementation process plan. De plan describes the HFE program elements required to develop an acceptable detailed design specification. In addition to an approved design process, NRC requires the applicant to submit ITAAC/DAC, which will ensure that the design process is properly executed by the COL applicant. He NRC specified that the design and implementation process should contain descriptions of all required human factors activities that are necessary and sufficient for the development and implementation of the HSIs. It should also include an identification of predetermined NRC conformance review points and the ITAAC/DAC.
This process is very different from the typical Human Factors reviews conducted by the NRC in the past or for current staff operations review modifications to the Detailed Control Room Design Reviews. De i
present NRC review criteria presented in the Chapter 18 of the Standard Review Plan (SRP) and in NUREG-0700 provide little information to the reviewer for this type of evaluation. Since the review of a design process is unprecedented in the nuclear industry, the criteria for review are not addressed by current regulations and guidance documents had to be developed. He staff, in conjunction with Brookhaven National Laboratory, has developed an HFE Program Review Model (Program Review Model).
l To develop the HFE Program Review Model, a technical review of current HFE guidance and practices was conducted to identify important human factors program plan elements relevant to a design process review. De review was conducted along two dimensions: Technical Basis (literature providing the theoretical and regulatory basis for evaluating the conduct of HFE); and Application (literature reflecting I
the practice of HFE for development, design and evaluation of complex, high-reliability systems).
General systems literature, as well as literature focused specifically on the nuclear industry, were l
reviewed. Thus, the sources reviewed included a wide range of nuclear industry and non-nuclear i
industry documents. From this review a generic system development, design, and evaluation process was defined. Once specified, key HFE elements were identified and the general criteria by which they are assessed.
6 i
2 I
t
Y ne HFE Program Review Model is the programmatic approach to achieving a design commitment to HFE. The overall commitment and scope of the HFE effort can be stated as follows: Human-system i
interfaces (HSI) should be provided for the operation, maintenance, test, and inspection of the (Nuclear Power Plant (NPP) that reflect " state-of-the-art human factors principles" (10 CFR 50.34(f)(2)(iii)) as required by 10 CFR 52.47(a)(1)(ii). The HI - t rogram Review Model was developed to achieve this commitment and contains eight elements. Each element consists of an overall objective and factors that must be considered in the review process. An OER was defined as one of the key elements required to meet the overall commitment to HFE.
Even if the advanced reactor plant control rooms were to be fully designed and presented to the NRC for a detailed HSI review, the reviewers believe that the incorporation of an OER into the design process for that control room is important. Such an OER is needed to ensure that operating experience is incorporated early in the design process, before design decisions preclude important changes. It will also ensure that the important safety-related concerns outlined in the* Design Commitment" section of the OER HFE Program Review Model element are addressed.
3.9 The Role of OER in HFE Reviews i
ne design commitment for OER and the general acceptance criteria for the review of OER are contained in Table 3.1. Additional criteria are also contained in the HFE Program Review Model.
ne main purpose of the OER is to identify safety and safety related issues (the issues are entered into and followed to disposition by an issues tracking system). He OER provides information regarding the performance of fully-integrated predecessor systems (in an analogous way to full-mission validation tests which provide information about the achievement of safety goals and safety concerns for the integrated system under review). The issues and lessons learned regarding operating experience go well beyond the simple identification of specific equipment or its implementation. In fact, the resolution of OER issues may not involve HSI equipment design at all. ney may impact function allocation (changes in automation), procedures, training, etc. An example where function allocation would be effected is discussed in section 6.0 of this report.
OER information is used in all other HFE Program Review Model elements. Rese inputs are summarized in Figure 3.1 for the MFE Program Review Model in general. As indicated in the figure, OER contributes to review and evaluation considerations as well as system design considerations. For example, OER can be used in the selection of specific failure scenarios to incorporate in validation testing and can be used as a basis to select specific performance measures for the evaluation (for i
example, to measure an aspect of human performance identified in OER as being problematic.)
i OER also provides a technical basis for scoping the level of analysis needed for safety determinations.
Figure 3.2 illustrates the use of OER as a technical basis for the conduct of functional requirements analysis and functional allocation (HFE Program Review Model Elements 3 and 4).
l 3
I
[
I t
(
Table 3.1 OER General Design Commitment and Acceptance Criteria t
Design Commitment:
ne accident at Dree Mile Island in 1979 and other reactor incidents have i!!ustrated significant problems in the actual design and the design philosophy of NPP HSls. Dere have been many studies as a resuk of these l
accidentsrncidents. Utilities have implemented both NRC mandated changes and addidonalimprovements on their t
a own initiative. However,the changes were formed based on the constraints associated with backfits to existing CRs using early 1980s technology which limited the scope of conective actions that might have been considered,i.e..
more effective fixes could be used in the case of a designing a new CR with the modern technology typical of I
advanced CRs. Problems and issues encounteredin similar systems of previous designs shall be identified and
{
analyzed so that they are avoided in the development of the cunent system or, in the case of positive features,to ensure their retention.
General Criteria:
1.
De foDowing industry operating experience issues shall be reviewed (a list of issues is provided in the Program Review Model).
I 2.
he issues shall be reviewed and analyzed for (1) Human performance issues (problems and sources of human enor), and (2) Design elements which support and enhance human performance.
3.
De foUowing topics should be included in interviews as a minimum: display factors, control factors, information processing facton, communication factors, procedures, training factors, staffing and job design l
4 De review shall include (1) a review of literature pertaining to the human factors issues related to similar systems and (2) operator interviews.
5.
The following sources both industry wide and plant or subsystem relevant should be included in review of the identified issues:
l Government and Industry Studies of Similar Systems Licensee Event Reports i
Outage Analysis Reports Final Safety Analysis Reports and Safety Evaluation Report Human Engineering Deficiencies identified in DCRDRs Modifications of the Technical Specifications for Operation InternalMemoranda/Reportsas Available 6.
Each operating experience issue shall be documented in an issues tracking system.
7.
De program shall be developed using specified documents as guidance and issue definition (a list of documents is provided in the Program Review Model).
i
-[
(Summarized from the HFE Program Review Model) l i
I 4
+
Elements 3 & 4 U
- See Figure 3.2 Require en &
Allocation Element 5
. Identification of cntical human actions Task Analysis
. Identification of problem tasks V
Element 1 Element 2 HFE Program Operating Experience Menegenent Rev h Element 6 & 7 interface Design &
- Input I trade study evaluations
- Identsfication of potentialdesign solutions D
= identification of poor design implementations I
HFE lseue Tracking System 4
Element 8
. Functions, systems & tasks to be evaluated Mah Purpose-
=
Verification
. Event & scenario selection identify potential AVolidation
. Performance measure selection safetyissues to be resolved in fundion allocation, task design, HSI design, y
procedure design, training, statt I
issue selection, etc.
Resolution
^
vertrie ibn L
J L
J Figure 3.1. The role of OER in the PRM
-3 y
T+----'
- y+,
ELEMENT 3 D.rin. Functions for N.w
& Predecessor Designs 1r Compare Functions of the New
& Predecessor Designs l
(
U
-1r Unchanged Fu Modified Functions J
I e
- U l
[ ' 6e'scrib'e'the'Iect'n'ic'ai ' ")
Basis for Modified Functions t
ELEMENT 4
- ,, J5,9,=,o,E,R as basjs) j
{
U U
I Identify Whether A!!ocation Perform Functional is the Same as Predecessor j
Requirements Analysis l
i U
}
~
Unchange Modified
' 'Per' form'F'unc'ilon '
l Allocations Allocation Allocation Analysis l
(uses OER as basis) l j
I l
i l///////////////'
f Evaluate Operating l
,/ Experience Review (OER),
i
/////////////////
i V
l No o
OER OER j
issues issues i
i Justify No f
Change in Functior:
or Allocation j
i k
I Evaluate Operator Role Evaluate impact of i
New Allocatons on Unchanged Allocabons U
f////U,ses ofR//,///////////,//g f
ocument Result
///////
- ,Uses OER inpu
/////// /
Figure 3.2. OER and Function Analysis and Allocation
-s-
6 L
4.0 Technical Basis for OER Utilization e
In this section justification for OER and its technical basis is organized ino: regulatory basis and nuclear industry standards and recommended practices. The value of OER is considered with respect to its identification as a significant element in currently accepted industry and engineering practices.
4.1 Regulatory Basis I. Code of Federal Reculations Part 50.34 (f)(3)(i)
Th'e importance of incorporating OER into the design of nuclear plants has been recognized in the Code of Federal Regulations:
" Provide administrative procedures for evaluating operating, design and construction experience and for ensuring that applicable important industry experiences will be provided in a timely manner to those designing and constructing the plant.*
- 2. NUREG-0700 NUREG 0700 identifies OER as important to the safety review of HSIs. While the OER analysis is discussed as part of a control room review for a specific plant, the objectives and methods are generalizable to new reactor designs. OER methodology includes an examination of available documents (such as LERs, outage analysis reports, modifications to technical specifications, and licensee internal memoranda and reports) and operator surveys / interviews.
4.2 Nuclear Industry Standards and Recommended Practices OER has become widely accepted as a necessary and essential component in the design process in the
'i nuclear industry. It is strongly endorsed in international and domestic standards and recommended practice documents.
- 1. International Atomic Enerev Acencv: Basic Saferv Principles for Nuclear Power Plants. No.15-INSAG-3 (1988)
Section 3 of the document discusses fundamental principles which are described as ' bearing in many important ways on the nature and application of the specific safety principles.' Section 3.3.6
- Operating Experience and Safety Research" states the following principle:
- Principle: Organizations concerned ensure that operating experience and the results of research l
relevant to safety are exchanged, reviewed and analyzed, and that lessons learned are acted on" (p.22).
l 7
O
- 2. EPRI: ALuR Utility Reautrements Document - Volume 11 ALuR Evolutionary Plant OER is a requirement in the EPRI ALWR Requirements Document. Chapter 10 addresses the design of the man-machine interface system. Section 3.1.3 identifies "Recuired Desicn Process Features".
Requirement 3.1.3.1
- Resolution of Past Problems" states that:
- ne M-MIS design process shall ensure that problems with the existing LWR M-MIS designs are identified and that features are incorporated in the ALWR M-MIS which provide satisfactory solutions to those problems. To implement this requirement, the M-MIS *)esigner shall include the following in the design process:
At the beginning of the design process, a comprehensive and systematic review shall be made to identify problems which have raised safety concerns, reduced plant availability, or increased maintenance burdens.
Each identified problem shall be assessed for its applicability to the ALWR.
ne final M-MIS design shall specifically identify how each applicable problem has been solved.
Independent reviews per 3.1.4 shall be performed of the identification,. assessment, and solution of the problems.
The solution of existing problems is a basic objective of the ALWR program. The obvious first step is the identification of the problems to be solved. There is substantial information on these problems available from such sources as Licensee Event Reports, Nuclear Power Experience, the Nuclear Plant Reliability Data Systems, and from the Institute of Nuclear Power Operations.
Additionally, this review will aid in identifying those parts of the M MIS design which will benefit from the application of new technology. De M-MIS Designer is required to explicitly address each of the problems so that the merit of the solutions can be independently evaluated and so that the basis for the design features which represent solutions are maintained for the Plant Owner to evaluate future changes.*
t
- 3. IEEE: 1EEE eutde to the coolication ofhuman factors eneineerine to systems. eauipment. and facilities of nuclear vower eeneratine stations. Std 1023-1988 (1988a)
The IEEE document provides a guide for the conduct of a systems analysis for both the design of a new plant and for the modification of existing facilities Section 6.3 " Operational Experience Review" identifies the importe.:e and scope of such a revic
... documents such as licensee event reports, maintenance, and surveillance reports, and reactor trip reports should be reviewed for any human factors aspects requiring design or procedure modifications." (p.16) f 8
- 4. IEEE IEEE ruide to the evaluation of man-machine performance in nuclearpower reneratine statig3 control rooms and other veripheries. Std 845-1988 (1988b)
This document addresses methods for evaluating human performance of HSis. One of the methods identified in the standard is a " historical review" (Section 6.1.2):
"This technique involves the examination of historical records related to the performance of systems mat are identical, or similar, to the system to be evaluated. In the nuclear setting, a historical review is likely to involve Licensee Event Reports (LERs), Significant Event Reports (SERs), plant trouble (or trip) reports, operational logs, interviews with operators and maintainers, and maintenance logs. Historical review is most useful for evaluation issues related to system effectiveness in the real setting, although it can also be used to a lesser degree to evaluate compatibility and understandability" (p.12).
The main conclusion from an examination of OER requirements reflected in currently accepted industry l
and engineering practices is that OER is a necessary and indispensable component to NPP design and that the value of OER extends well beyond equipment selection. Therefore, the reviewers find GE's limited view of OER unacceptable.
5.0 GE's Use of Acceptable Technologia as OER GE has proposed a list of technologies (in SSAR Section 18.4.3) to satisfy OER. Such an approach falls short of an OER in two ways.
(
I
- 1. Restricting the scope of OER to an equipment list fails to acknowledge the importance of OER beyond equipment specification. As discussed in Section 3 of this paper, OER issue resolution may impact function allocation (changes in automation), task design, procedures, crew training, and system e
test and evaluation. Thus, GE's list of control room technologies is inadequate because it does not provide a data base that is comparable to an OER and fails to consider the important role of OER in the HFE program.
- 2. The reviewers do not think Section 18.4.3 " Control Room HSI Technology" contributes anything meaniful. Several items are merely restatements of the ABWR standard features (e.g., item 5 is a partial restatement of Standard Feature b) and others are too vague to contribute to standard feature descriptions. For example, item 5 states "on-screen control utilized with cathode ray tubes and flat panel display devices." This is not an identification of a technology. A wide diversity of technologies can be 4
identified as meeting this statement such as:
i
- infrared touch bezels
- pressure pads
- multi degree-of-freedom hand controllers
- mice, trackballs, lightpens, etc.
l
- gesture controls
- voice controls
- virtual reality devices
- eye-gazing devices 9
i
i Some of these technologies are adequately addressed by available HFE guidance while others are not.
Therefore, even if the specification of a list of technologies were an acceptable substitute for an OER, the level of detail of many of the technologies listed by GE is inadequate for certification.
To illustrate the reviewers' concerns, consider the follcaing characterization of the ABWR alarm system implementation provided in SSAR Section 18.4.3:
Item 10. Thed-position alarm tiles which use light to indicate the alarm state.
, item 11. An audio signal system which is coordinated with thejixed-position alann tiles and utili:ed prioritication and alarm reduction logic andpredefined setpoints to alen operators to plant changes.
Such an over-simplification of the complex problem of alarm processing and display is mis-leading and does not provide criteria to the plant designers for selecting an acceptable alarm system.
Attached to this paper is a preliminary review of operating experience and available literature related to the design of advanced alarm / annunciation systems performed by the reviewers. He review identifies many issues which should be addressed in GE's HFE program. It is concluded that GE's specification of technology fails to capture the operating and research experience with human performance issues associated with such systems.
He reviewers recognize that GE (and other reactor NSSS vendors) have very knowledgeable engineers and designers, who are generally aware of events that occur in their type of ree :! ors and that they can inherently provide some level of OER incorporation into the design. However, we further believe that without the formalism of an actual, documented OER program that many " problems" in the industry's experience will go unaddressed.
6.0 OER in the ABB-CE System 80+ and Westinghouse AP-600 Reviews The value of OER has precedence in the staff's review of the System 80+. ABB-CE has conducted an OER for the design of the NUPLEX 80+ following the criteria generally consistent with the HFE Program Review Model (although some exceptions are noted). He OER identified many issues associated with HFE design which were organized into HSI subsystem categories. Table 6.1 identifies these categories along with the number of issues identified in each.
De issues were identified by a review of NUREGs, Reg. Guides, LERs, IEEE standards, and Industry documents. Some of the OER issues have been addressed by design solutions however, many still remain in the HFE issues tracking system. The CE human factors program plan and the OER submittal for staff review also identifies the commitment to continue OER related information as the design process continues. CE intends to address new OER issues by " utilizing the HFE issues tracking system."
10
Table 6.1 System 80+ OER lssues HFE Category
- of Issues Annunciators 20 Controls 6
Display and Information Processing 11 Panel Design Features 4
MCR Workspace and Environment 6
Equipment layout 3
Maintenance and Testing 3
Process Computers 2
Low Power and Shutdown 2
Procedures 1
t As part of the staff's review of the CE OER for System 80+, the reviewers interviewed operators from i
System 80 plants to identify potential operating experience issues that should be addressed in System 80+ (CE did not interview System 80 operators as part of their OER). One example of an issue conveyed to the reviewer by the operators that was not revealed in a literature based OER was the value of automating RCP seal leak off return isolation. Under loss of seal injection and thermal barrier cooling, operators are required to manually isolate the seal within a very short time frame. This has prompted the operators to place a sign on the control panel to remind operators to take this action when indicated. Failure to do so could lead to excessive seal leakage possibly escalating to a seal LOCA.
Operators indicated that automation of the task of sealisolation should be explored. Note that this is an operating experience issue that is not adequately addressed by current control room technology.
In SSAR Chapter 18 of the Westinghouse application for certification of the AP-600, OER-related lessons are presented (Section 18.3). Additional details for the use of OER in the AP-600 design were provided to the staff in WCAP-13559,
- Operational Assessment for AP-600." The material used as a t
bas?s for the OER included general human factors literature, NRC regulatory guides and NUREGs, USIs and GSis, AEOD reports, and industry information such as INPO reports and LERs. Operator interviews were conducted as well, both in US domestic plants and foreign plants employing advanced technology considered for AP-600 applications. Westinghouse points out (on p.18.3-2) the broad usage of OER data in their HFE program. OER data contributed to the understanding of human process control, allocation of function, HSI design, training, and V&V.
While the staff review of ABB-CE and Westinghouse AP-600 OERs is not yet complete, it is clear that the OERs have identified many issues that are being addressed through HS1 design and other means. GE remains the only applicant for certification not to address OER in their HFE program.
11
I 7.0 Conclw. ions ne male conclusions from this report can be summarized as follows:
l 1.
He main purpose of the OER is to identify potential safety and safety related issues whose resolution may fall within the scope of function allocation, task design, HS1 equipment design, procedures, verification, validation, training, etc. OER contributes to all of the elements in the HFE Program Review Model. He issues and lessons learned regarding operating experience provide a basis for improving the plant design, at the most effective point (the beginning) in the design process. The improvements made as a result of a comprehensive and well executed OER go well beyond specific equipment implementations.
2.
De establishment of OER requirements during the design phase is an accepted industry and engineering practice. OER is a necessary and indispensable component to NPP design and the value of OER extends well beyond equipment selection.
3.
GE's proposed list of technologies (in SSAR Section 18.4.3) to satisfy OER is inadequate in at least two ways: (1) restricting the scope of OER to an equipment list fails to acknowledge the importance of OER beyond equipment specification, and (2) the reviewers believe Section 18.4.3
- Control Room HS1 Technology" consists of restatements of the standard features or concepts that are too vague to contribute to standard feature descriptions. De alarm system example cited in the attached report demonstrates that a preliminary review of alarm system design (one example of an application of OER) revealed many HFE issues that plant designers should consider in designing an effective alarm system, he design of alarm tiles, for example, as proposed by GE is one small part of designing an alarm system that supports the alarm system functional goals.
3.
The other advanced reactor designs under certification review (ABB-CE System 80+ and Westinghouse AP-600) have submitted OERs that have identified many issues that are being addressed through HS1 design and other means. (GE remains the only applicant for certification not to address OER in their HFE program.)
Given the reasons cited above, the reviewers have concluded that GE's effort to substitute a list of control room technologies (in SSAR Section 18.4.3) for OER is inadequate. The reviewers, therefore, find GE's approach to OER unacceptable.
1
+
i
[
12 l
I
i ATTACHMENT AN EXAMPLE OF ISSUES IDENTIFIED FROM OERS OF ALARM SYSTEMS t
The human engineering deficiencies associated with conventional (one sensor-one alarm) alarm systems in Nuclear Power Plants (NPPs) are well documented (Malone et al.,1980; Banks and e
Boone,1981; Rankin et al.,1983; Seminara et al.,1979; Pine et al.,1982; Fink,1984; Kinkade an'd Anderson,1984; MPR,1985) and recommendations for improvements have been offered (e.g., Fink,1984; Kinkade and Anderson,1984; MPR,1985; Pine,1982; U.S. NRC,1981).
Despite the alarm / annunciator design review guidelines provided by NRC (NUREG-0700) and subsequent NRC and industry studies of recommended upgre. des of alarm systems, the presentation of alarm system information to operators continues to be a problem. A recent NRC l
Commission policy statement on the conduct of NPP operations (Register 1989, Volume 54, Number 14, p. 3426) illustrates the point: "The working environment in the control room should be maintained to minimize distractions to the operator... Consideration should be given to reducing environmental distractions such as lighted alarms that are not operationally significant, or alarms that signify normal operating conditions." An EPal study (Seminara,1988), reviewed 25 DCRDRs to identify and prioritize human engineering deficiencies (HEDs) and to recommend research directed toward helping to resolve outstanding issues. A total of 11 percent of all HEDs evaluated were in alarm systems. These human engineering deficiencies (HEDs) were ranked as representing medium significance and were considered " difficult to correct." The alarm system HEDs were also rated as highest in terms of "further study needed" when 4
compared with other topic area covered by NUREG-0700. A summary of the percentage of plants having HEDs in a variety of alarm system categories is presented in Table 1.
Also presented is the percentage of those HEDs which are " unresolved" - not slated to be corrected or require further study. As the data indicate problems with alarm systems still exist. Thus, there is still a need for careful tracking of design approaches to these issues. Seminara (1988) indicated that many issues related to conventional systems still remain, for example:
the importance and value of "first-out" panels, the necessity for cleared alarm signals, i
the relative merits of central versus distributed alarm controls, the importance of separate alarm silence and acknowledge controls, a
the value of an auto-silence alarm feature, e
4 methods for avoiding sensory overload during transients, and 4
conventions for setting alarm limits.
However, while issues with conventional alarm system design still exist, some of the issues are being addressed with advanced alarm systems. (It should be noted that many of the issues raised in the discussion above are generic alarm system issues and apply to both conventional as well as advanced systems). One reason may be that not all of the human factors issues (the number of alarms during major plant disturbances, and static prioritization capabilities, to cite two examples) can be effectively resolved through improvements to conventional systems.
Table 1 Summary of Alarm System HEDs PERCENT PERCENT HEDs HED CATEGORY PLANTS with HEDs UNRESOLVED Signal Detection 93 58 No "First-Out" 93 65 Alarm Arrangement 88 52 Shared Alarms 86 49 Legend Specificity 80 42 Tile Readability 80 37 Visual Alarm Recognition 79 55 Controls 76
.43 Prioritization 72 54 Annunciator Panels 71 62 Cleared Alarm Signals 71 61 General Alarms 64 53 Note: Data are from EPRI NP-5795 (1988) and were based on reviews of 25 DCRDRs.
The need to improve the human engineering of alarm systems has led to the development of advanced alarm systems in which alarm data are processed beyond the one sensor-one alarm framework. The processing can be simple, such as the filtering of plant mode dependent l
alarms, or complex, such as dynamically prioritizing alarms based upon event and disturbance analysis. Advanced alarm processing and display technology promises to provide a means of correcting many known alarm system deficiencies. However, there is evidence to indicate that attempts made to date to develop advanced alarm systems have been less than completely successful, and that operators tend to prefer conventional systems (e.g., Kraght, 1984; MPR,1985,1988). Thus, despite the application of advanced technology to NPP alarm systems, Operating Experience Review (OER) issues and human factors problems remain and should be addressed by advanced reactor designers.
i In the remainder of this section the types of specific issues that should be addressed in advanced alarm system design are identified. The issues are organized into four categories:
general system design, alarm processing, alarm display, and alarm system control. The i
A-2 i
issues are listed in Table 2 and are discussed below. It should be noted that the list is not intended to be comprehensive since the objective was to illustrate that there are sigmpcant issues emergingfrom OER that should be addressed (as many relate specifcally to the two GE technologyfeatures listed above).
Table 2 Advanced Alarm System HFE Issues TOPIC ISSUE Advanced Ahrm System General Goah 1.
Operator-Centered Alarm System Design Goal Considerations and Functional Requirementa 2.
Ahrm and Annunciator Functions 3.
Alarms and Symptom-Based Emergency Procedures 4.
Secondary Event Detection 5.
Ahrm Functional Requirements and Characteristics 6.
Context Specific Alarm Response Characteristi.:s Alarm Processing Methods issues 1.
Comparison of Individual Processing Methods 2.
Effects of Filtering on Operator Performance 3.
Design Goals of Alarm Fihering Syr. ems 4.
Fihering vs. Prioritiation 5.
Criteria for Prioritization 6.
Filtering Alarms in Muhiple Failure Events 7.
Alarm Generation 8.
Alarm Setpoints and the Alerted Monitor 9.
Processing Complexity and operator Undentanding Display of Alarm Data 1.
Tile and VDU-Based Displays 2.
Organization of Alarm Displays 3.
Design of VDU-Based Displays 4
Infonnation-Rich Alarm Displays 5.
HierarchicalDisphys, Ahrm Integration, and Data Layers 6.
Use of Auditory Cuing 7.
Enriching Auditory Cues Alarm System Controls 1.
Increased Complexity with Advanced Ahrm Systems 2.
Role of Automation i
3.
Implementation of Controh in Advanced Ahrm Systems 4.
Dialog Design l
Adyanced Alarm System General Goals and Functional Reauirements Operator-Centered Alann System Design Goal Considerations The large number of alarms occurring during a NPP transient overloads the operator'S information processing ability. Since cognitive workload co-varies with fault detection capability (i.e., as workload goes up, fault detection capability goes down), the operator wiU A-3 1
have a great deal of difficulty handling the flood of alarms associated with process disturbances. The main problems a:e associated with the limitations of working memory (limited capacity and shon duration) and the limited availability of attentional processing resources. As a result, under high workload situations such as NPP transients, signal detection and recognition capability is reduced. The operator samples rather than completely scans alarm information. The operator's information processing system attempts to handle high workload situations through the application of decision-making heuristics. These heuristics reduce overall load on the information processing system but can also lead to human error. In light of these aspects of human information processing and the large amount of' alarm information to be presented in a NPP, the design of the alarm system should address the operator's information processing constraints through specific analysis of alarm perception, detection, and workload analyses.
Alarm and Annunciator Functions The alarm system is the principle source ofinformation for the detection of a specific off-normal condition. However, in conventional NPPs, it is also used for the annunciation of system / function status and in this role also supports a feedback function on the success of actions taken by the operator. Observations and interviews of operators has shown that the annunciation function of the alarm system is important to operators. However, the combining of annunciation and alarm functions in a single system has contributed to the difficulty operators have with the system under high alarm density conditions. The number of alarms the operator must deal with can be significantly reduced by separation between these functions. In advanced control rooms, such a separation can be easily accommodated.
However, problems have been encountered with early attempts to utilize advanced alarm systems which stem from the loss of the annunciation function.
Alanns and Symptom-Based Emergency Procedures Symptom-based emergency operating procedures (EOPs) have changed the operating crews response to significant accident conditions in that event diagnosis is no longer required as the initial response to accident initiators. One important role of the alarm system can be to clearly indicate the specific entry conditions to the EOPs and to clearly identify with alarms the branch points in the EOPs. The role of the alarm system in calling attention to entry conditions and key decision points in procedures should be addressed in the design, i
Secondary Event Detection The alarm system plays a significant role in indicating secondary (teniary, etc.) malfunctions and supports secondary event analysis which is ongoing in parallel to the EOP. However, the detection by operators of alarms occurring late in a multi-alarm scenario has been shown to be difficult (detection of secondary failure is significantly lower than primary failure j
detection) and needs to be addressed in the design.
A-4
i l
i Alann FunctionalRegtirements and General Alarm Characteristics i
Analytical studies evaluaing the alarm characteristics required to meet the functional i
requirements of alarm systems have identified a number of features which are generally i
considered important and ifincluded, may reduce human error-related plant risk. These include, for example, prioritization, alarm inhibit features, first-out alarms (for reactor and l
turbine trip), reflash, message legibility / intelligibility, and keying alarms to alarm i
procedures. The application of these features should be considered in advanced reactor alarm system design.
Context Specifc Alann Response Characteristics
}
l There is some evidence that the response of the alarm system can be made context specific to.
l assist operators, for example, silencing the auditory waming associated both with lower priority alarms and with " ring back" under high alarm density conditions. This possibility should be considered in an effort to make the alarm system more effective under accident a
conditions.
Alarm Processine Methods Issues l
i i
Comparison ofIndividual Processing Methods 1
A wide variety of methods (such as mode dependency, state dependency, etc.) are available for processing of alarm data. Each method changes the information presented to the operator.
l However, the relative merits of the individual methods have not generally been evaluated for
{
their effects on operator performance. This effect should be carefully addressed in the alarm system design.
1 I
Efects of Filtering on Operator Performance The results of the research on the effects alarm filtering on operator performance are equivocal. Two studies (Baker,1985a and 1985b, and Fujita and Sanquist,1988, studies)
- found no effect for alarm filtering. One. study (Fujita,1988 and 1989) found no effect for the detection ofinitial disturbances, but improved performance in the detection of secondary malfunctions (which is a significant problem). Finally, two studies observed interaction j
effects. Marshall (1982) found effects on some transients but not others; and Reiersen (1987) found effects on complex disturbances but not simple transients. _ Thus no clear j
conclusion emerges. The observed differences in results could be due to many factors such as type of processing used, degree of filtering achieved, method of data display, and -
familiarization of the subjects with the system. Or the results could be transient dependent, e.g.,' dependent on the specific scenario or on the operators ability to recognize a familiar pattern. This issue should be considered.
A-5
Design Goals ofAlarm Filtering Systems Most of the reparts of advanced alarm system development set design goals on the basis of achieving some percentage of alarm filtering, e.g., to reduce by a factor of two the number of alarms during major transients. While this might be reasonable for the application of specific processing approaches, the resulting alarm system might not noticeably help the operating crew (as has been observed in at least one design evaluation). To the human information processing system, reducing incoming alarms by a factor of two may not help at all. The filtering design goal would optimally be stated in terms of the degree of alarm filtering required to improve human performance.
Filtering vs. Prioritization In alarm filtering typically some alarms are withheld from the operators. Alarm prioritization, on the other hand, is the presentation of all alarms to the operator with priority information coded in the display. An issue remains as to whether alarms should be prioritized or filtered, or some combination of both? Should alarm information be withheld r
from operators? What is the effect of adding visual (and perhaps auditory) noise imposed by a prioritization scheme (added by including alarms displays of low priority to the operator) as opposed to filtering the information? Effects of these alternatives on operator performance
~
needs to be addressed?
Cr:teriafor Prioritization Alarm prioritization schemes can prioritize alarms along several dimensions such as the overall importance to plant safety or the urgency of operator action. The selection of one or more of these dimensions will have a great impact on the alarm systems characteristics and, i
in all likelihood, operator performance. This issue is also related to the functional basis of alarm system to provide warnings and annunciation of conditions.
Filtering Alarms in Multiple Failure Events Many significant NPP events, such as the TMI accident, have resulted from complex combinations of problems occurring. The behavior of filtering systems in such complex situations needs to be addressed when any sophisticated dynamic processing system is utilized.
Alarm Generation The alarm system should help prevent heuristics-initiated errors which often reflect the overloaded operator's incomplete processing of alarm information and tunnel vision. Alarm system characteristics may help mitigate this problem; e.g., notification of the operator when (1) " unexpected" alarms (based upon the current pattem) occur, and (2) when an " expected" alarm (based upon the current pattem) does not occur. These alarms would call the i
A-6 4
1
opentors attention to plant conditions which are likely to be missed due to the operator's bias toward " capture" errors. However, this practice increases the number of alarms, so its use represents a trade-off that should be examined in the design process.
Alann Serpoints and the Alened Monitor Process control operators are in a monitoring environment that has been described in signal detection theory terms as an "alened-monitor system". This is a two-stage monitoring system with an automated monitor and a human monitor. The automated monitor in a NPP is the alarm system which monitors the system to detect off-normal conditions. When the criterion satisfying such a condition is detected, the human monitor is alerted and must then detect, analyze, and interpret the signal as a false elarm or a true indication of a plant disturbance. Both the human and automated monitors have their own specific signal detection parameter values for sensitivity and response criterion. Sensitivity for the human monitor is strongly affected by alarm system characteristics including set points, the presence of nuisance and false alarms, and alarm density. A significant issue associated with alerted-monitor systems is that optimal overall performance of the alerted-monitor system is a function of the interaction of both components. Opumizing the signal detection parameters for one component of the system may not optimize performance of the entire two-stage system. An alarm setpoint philosophy frequently employed is to attempt to optimize the detection of signals by the automated monitor sub-system. The response criterion is set to minimize missed signals. This, however, increases the false alarm rate for the human monitor, thus increasing the noise (false alarm rate) and lowering the operators' confidence in the alarm system.
~
Processing Complexity and Operator Jnderstanding Since the alarm system is the operator's first indication of process disturbances and operators will confirm the validity of alarm signals prict to taking action, it is essential that operators understand what alarm data means and how it is processed. In addition, operators must understand the bounds and limitations of the system. Thus, the complexity of the processing logic is an issue for the operators who must understand and interpret the systems information.
Display of Alarm Data life and VDU-Based Displays A spatially distributed, fixed location display (such as is provided by conventional tiles) has been generally found to be superior to a spatially focused - variable location display (as is typical of a VDU-based presentation) during high density alarm conditions. Another consideration with respect to VDU-based displays is that alarm, data will be available to the operator at the primary workstation, but that it will not be readily available to the entire operating crew if VDU displays alone are used. Thus, the proper allocation of alarm A-7
functions to conventional tile-like displays and VDU-based displays needs to be addressed.
Organi:.ation ofAlann Displays The organization of alarms by system and function has been shown to be preferred by operators and to improve their performance. Approaches to preserve this display approach in VDU alarm displays should be considered.
Design of VDU-Based Displays While operators appear to like graphic displays, they have not generally been shown to significantly improve performance beyond message lists. However, numerous problems have been associated with message lists in high alarm density conditions and operators show a preference for spatially distributed - fixed location displays.
Infonnation Rich Alann Displays i
When alarms occur, operators must determine whether the signal represents an actual or spurious event. The low probability of off-normal events, and therefore, low expectancy, can make operator acceptance of alarms difficult or slow. Upon verification of several consistent indicators, the operator will take appropriate action. Research indicates that the integration of alarm displays with additionalinformation to assist in the alarm confirmation process is beneficial. Candidate approaches should be identified for enriching alarm displays with information regarding signal validation, alarm likelihood, and/or parameter values.
Hierarchical Displays, Alann integration, and Data Layers One way of reducing the flood of alarms which operators must deal with in process disturbances is to provide alarm information in hierarchical displays such as integrating lower level alarm information into higher-order alarms. Such an approach may lower operator alarm processing workload. However, if such a system is to be effective, it must integrate alarms into units that are meaningful to operators and represent units that the operator would have developed without the system. Hierarchical displays are typically presented in layers which can increase the operators interface management workload. Thus while alarm integration should facilitate operator information processing, display characteristics may inhibit its usefulness.
i Use ofAuditory Cuing The auditory characteristics of alarms have often been found to be problematic, i.e., startling i
and distracting. More appropriate and acceptable methods of using tonal cues need to be identified.
A-8
Enriching Auditory Cues While the visual features of alarm systems are often overwhelming, the use of operator's ability to extract information from auditory cues has probably not been fully exploited. For example, zonal auditory cuing (which is used in many plants already) can facilitate the i
operator's location of alarms. Auditory cues in advanced alarm systems may not have to provide spatial cues, but may be used to convey other information, such as alarm priority or alarm system / function.
I Alarm System Controls l
Increased Complexity with Advanced Alarm Systems The controls associated with advanced systems will likely become much more complicated and will require investigation. Additional operator controls may be required to provide control of features such as operator defined alarms, operator adjustment of limits, and operator control of filtering. These control options need to be identified.
Role ofAutomation In certain situations, such as accident conditions, some operator controls may be automated, such as the silencing of lower priority alarms. The most appropriate control functions for automation needs to be determined.
I Implementation of Controls in Advanced Alarm Systems In advanced control rooms, alarm systems will be integrated with other interfaces and will, therefore, share control interfaces for some functions, for example, keyboard entry of temporary setpoints. Some control functions may have dedicated control devices, such as SART controls. The mixture of " soft" and hard controls and dedicated vs. shared interfaces needs to be addressed.
Dialog Design Direct manipulation, command language, form lists, etc. are all options for control of the l
operator interface with the alarm system. The method of dialog with the system is an issue that should be addressed.
i A-9 r
ADT OPEN ITEM STATUS ABWR FSER x
g.
,,, -.g..
~,,,
l U,,,
...s F--
s,_
~
~~
^
'~
z,,,
... DE - 11b(1)
GE 170(26)
C L,,,
..s.
. DRSS'- 5
~~
~
O,,.
' s.
DSSA 139(2)-
=
DRIL - 5..
1,,,
... D O R S.
.3..
ADAR - 13 y,.
.. TOTALv 294(3) a a,,
Z,,
1 1 ! I l I l 1 1 1 ! l I i iil l I f I l iI 1 l I l i I i 1 1 I I 1 I l l ! I I l E
WEEK STARTING a
BASED ON FSER INPUTS
- Reflects submittals through 3/31/93 DATA AS OF 03/31/93 t
S
U
. i STATUS OF DFSER OUTSTANDING ITEMS i
TYPE TOTAL RESOLVED RESOLVED NET TOTAL (MARKUP)
(AMENDMENT)
OPEN 382 (63)
(25) 294 CONFIRM.
264 (77) 187 COL AI 252 (32) 220 o
TS ITEMS 23 (0) 23 f
e.
2 w
..--------.,.,.....--,.-.---~.,--.m.m.
,.----v'
.--..c,-
-, - - -. - -, -....,.. ~,, - < +,.. -...,,. - -,. -,.
DFSER ISSUE RESOLUTION PROCESS e
TECHNICAL MEETINGS AND AUDITS CONDUCTED PLANT SYSTEMS ELECTRICAL SYSTEMS
. STRUCTURAL / SEISMIC DESIGN i
RADIATION PROTECTION PIPING DESIGN PRA/ SEVERE ACCIDENT CLOSURE t
WEEKLY CONFERENCE CALLS ON REMAINING ISSUES e
GE SuBMITTALS: SSAR MARKUPS AND OTHER RESPONSES TO ISSUES JANUARY 22 SUBMITTALS-FEBRUARY-25 SuBMITTALS MARCH.
25+ SuBMITTALS 4
ADDITIONAL STAFF FEEDBACK To GE NEEDED TO SUPPORT AMENDMENTS y.
E.
l' n
I
_... _., - -.. ~ _..
w 4
e a-t
. m STRUCTURAL AND SEISMIC DESIGN FEBRUARY 22-25 AUDIT AT BECHTEL OFFICES 1
TECHNICAL AGREEMENT ON ALL ISSUES FROM PREVIOUS AUDIT AND DFSER e
CLOSURE OF 6 ISSUES FROM DFSER e-CLEAR PATH TO RESOLUTION FOR REMAINING DFSER ISSUES e
MEETING
SUMMARY
ISSUED LAST WEEK GE NEEDS TO PROVIDE SSAR MARKUPS AND AMENDMENTS e
e e.
~
-w-me
__,e-.
a-+=.. --w.---saw=.meva.+mwou-=-tmm4-m-.m
...e-.mA----,.-vtv e,
--ww mv.
om.---_-w,--w-1
.w.ve--,--.=wr-m.-r.*
e
-.4
.,ww-.c.re,,.
.=orr+vo--,w-wnw-+--
=we--.vw-*we,,.S+
==-,w.-
-e-+- w-=
ie-w
ELECTRICAL DESIGN ISSUE STATUS INTENSIVE SSAR ISSUES MEETING FEBRUARY 22-25, 1993 e
AGREEMENT REACHED ON ALL ISSUES DISCUSSED 9
GE SSAR MARKUP DUE ON MARCH 31, 1993 e
ITAAC FOR EDG AND POWER DISTRIsuTION MARKUP EXPECTED TNIs WEEK e
SCHEDULE FOR ADDITIONAL ITAAC TO BE PROVIDED e
TECHNICAL SPECIFICATIONS DUE THIS WEEK MEETING IN APRIL TO DISCUSS SSAR AND ITAAC g
e 2
l
_..,~-__._._,.~,__-.__.-____..-._.___~..._,._..,-,-._,__.-,_.._J..-,--.
.,..-..._..----.,......_,_..~..__.--___..-~__.-_..-~.__...,._.._.,,-.c
o l
INSTRUMENTATION AND CONTROLS ISSUES l
e ITAAC STATUS 1
GE SUBMITAL OF SECTION 3.4 ON 3/26/93 l
OVERALL STRUCTURE OF SECTION SSLC,~ SOFTWARE DEVELOPMENT, ELECTROMAGNETIC CAPABILITY STAFF To PROVIDE FEEDBACK BY MID-APRIL SUBMITTAL OF SETPOINT METHODOLOGY AND EQ BY MID-APRIL CURRENTLY No OUTSTANDING TECHNICAL CONCERNS GE ACTION TO UPDATE SSAR STILL OUTSTANDING s'
TECHNICAL SPECIFICATIONS GE SUBMITTAL DUE THIS WEEK STAFF'To PROVIDE FEEDBACK IN APRIL e
DIVERSITY AGREEMENT MADE ON ALL SIGNIFICANT TECNNICAL CONCERNS CLARIFICATION OF ASSUMED TIME FOR OPERATOR ACTION NEEDED AWAITING GE FEEDBACK AND SUBMITTAL v
O w
,a P
l-PIPING ISSUES e
DESIGN ACCEPTANCE CRITERIA GE HAS PROVIDED ALL REQUIRED INPUTS (PRELIMINARY)-
AGREEMENT MADE ON ALL SIGNIFICANT TECHNICAL ISSUES STAFF BENCHMARK PROBLEM REVIEW FINDINGS POSITIVE AWAITING GE SUBMITTAL TO INCLUDE A DISCUSSION OF STRIPING IN DAC e
OUTSTANDING MINOR. DESIGN ISSUES DESIGN ASPECTS ADDRESSING BULLETIN 88-08-DELTA T MONITORING (AWAITING GE SUBMITTAL) s DESIGN FOR FATIGUE-(SUBMITTAL. UNDER REVIEW BY STAFF)
OBE ELIMINATION-SOME CLARIFICATION NEEDED (DISCUSSIONS-TO BE HELD) n, 3'
8
?
t STATUS OF ABWR DETERMINISTIC SEVERE ACCIDENT EVALUATION Richard J. Barrett
, 1
ABWR DETERMINISTIC SEVERE ACCIDENT EVALUATION SCHEDULE ACRS meeting March 18,1993 Final ACRS meeting mid-June 1993 Draft FSER June 30,1993 GE Final SSAR & ITAAC submittsi July 31,1993 Final FSER August 30,1993 OPENISSUES SECY-90-016 Items Tracking 14 Items since 11/92 Additional items from 3/18/93 ACRS meeting TIER 1 INFORMATION AND ITAACs SAMDAs - Staff evaluating GE submittal INFORMATION NEEDED FROM GE k
l OPEN ITEMS ISSUE ACTION t
Core-Concrete interaction (MELCOR)
Staff t
Containment Sump Design GE Containment Bypass (DBA)
GE Containment Ultimate Pressure GE Suppression Pool pH Control (ACRS)
GE Hydrogen Detonation (COPS and Bypass) (ACRS)
GE Core-Concrete Interaction (Grating) (ACRS)
GE Equipment Survivability (ACRS)
GE i
Tier 1 Information arid ITAACs Severe Accident Requirements in 10 CFR 52, Appendix A Severe Accident Road Map for ITAACs Severe Accident Bases for Certified Design Description Design Criteria for Severe Accident Rule i
ITAACs for Severe Accident Role t
i i
I I
4 i
Information Needed from GE 1.
Containment Bypass - sensitivity studies that GE committed to submit in December 1992 s
2.
pH Control of Suppression Pool - GE should perform analysis and submit to NRC for evaluation to determine whether pH control is needed for severe accidents 3.
Core-Concrete Interaction - GE should perform analysis to determine the impact of the grating below the reactor vessel on core debris suspension 4.
Hydrogen Control - GE should determine whether the plant stack is capable of withstanding hydrogen detonations following a venting scenario or whether other areas are susceptible to damage following the release of hydrogen (bypass scenarios) 5.
Equipment Survivability - GE should identify all equipment relied upon for severe accidents and ensure that it is capable of functioning in the environment specified for the time period it is relied upon 6.
CDD & ITAACs - GE to submit roadmaps for severe accident insights into the certified design description and ITAACs Schedule of GE Submittals i
Need for GE/NRC Meeting
SECY-90-016 ITEMS Anticipated Transients Without Scram Closed Station Blackout Confirmatory (EELB)
- review of CTG to Reg. Guide 1.155 Fire Protection Closed Intersystem LOCA Open (GE/SRXB)
- review of GE submittals for conformance j
Hydrogen Generation and Control Closed Core-Concrete Interaction Open (SCSB)
- containment analysis using MELCOR i
High Pressure Core Melt Ejection Closed Containment Performance Open (SCSB)
- effect of CCI on containment performance f
ABWR Containment Vent Design Closed Equipment Survivability Open (GE/SCSB)
- review of equipment needed for severe accidents o
~
14 Open items from November 1992 i
- issue Descriotion Status l
1 CCl/ Cool Containment Sump Shield Design Open (GE)
Resolution Path: GE must either provide a finalized detailed description of the design or j
an ITAAC of sufficient detail to ensure adherence to conceptual design criteria i
2 CCl/ Cool Structural Evaluation of Containment Closed 3 CCl/ Cool Upward Heat Fluxes from Debris Open (SCSB)
Resolution Path: Staff will perform additional analysis using MELCOR to determine the effects of a time dependent heat flux on i
ablation rates and containment pressurization 4 FCI Stm. Explosion / Containment Capability Closed 5 Bypass Analysis of One Vacuum Breaker Open Closed f
~
6 Bypass Analysis of Max. Allow. Leakage Path Open (GE) l Resolution Path:
GE has not provided information that was supposed to be l
submitted in 12/92 7 Bypass increased Spray Flow / Bypass Capabh ty Open (GE)
Resolution Path:
GE has not provided information that was supposed to be i
submitted in 12/92 i'
8 Bypass "k" Value of 3.0 Open (GE)
Resolution Path:
GE has not provided information that was supposed to be submitted in 12/92 9 Bypass SA vs. DBA Containment Bypass Closed 10 SerlevC Evaluation of ASME Service Level C Closed
E issue Descriotion Status 11 UltPres.
Evaluation of Ultimate Pressure Capability Open (GE)
Resolution Path:
GE to address issues identified in 12/21/92 letter 12 HPME Upper Drywell to Lower Drywell Pathway Closed 13 InVessel Lower Head Failure Mechanism Open (SCSB)
Resolution Path: Staff to review GE analysis as part of SAMDAs 14 EPZ Consequence Analysis Open (EPRI)
Resolution Path:
Awaiting EPRI submittal and Commission guidance r
i
Issues Resulting From 3/18/93 ACRS Mtg.
1.
Reactor Water Cleanup System issue: Uncontrolled blowdown resulting in containment bypass Disposition 1
1.
GE presented evaluation to ACRS on August 19,1992 and no l
new open items were identified 2.
Staff evaluations to be provided by SPSB and SPLB in SER 3.
No additional action required 2.
Combustion Turbine Generator issue: Integration of combustion turbine generator controls Disposition 1.
Staff evaluation to be provided by EELB in SER 2.
No additional action required 3.
Fire Protection issues issue: ACRS comments from SECY-90-016 including the HVAC common header arrangement and single isolation between trains Disposition 1.
Staff evaluation provided by SPLB in SER 2.
No additional action required t
4.
Suppression Pool Issue: pH control following a severe accident Disposition 1.
GE should perform analysis 2.
Staff review and evaluation of GE analysis 5.
Hydrogen issue: ACRS comments from SECY-90-016 Disposition 1.
Staff re-review all ACRS comments and Commission SRM
- 2. No additional action required
6.
High Pressure Melt Ejection issue: Why require cavity design features for DCH concerns?
Disposition 1.
Staff to clarify acceptable cavity design features in SER 2.
No additional action required 7.
Containment Overpressure Protection System issue: Detonations following venting in stack or bypass paths-Disposition i
1.
GE should evaluate vent flow path and bypass routes and assess for detonation potential 2.
Staff review and evaluation of GE analysis 8.
Containment Overpressure Protection System Issue: Results of comprehensive regulatory review Disposition
- 1. Staff to brief ACRS on results of review in June 1993 9.
Core-Concrete Interaction issue: MELCOR runs addressing abistion rates and pressurization Disposition 1.
Staff evaluation of MELCOR results against containment performance goal 10.
Core-Concrete Interaction lssue: Impact of grating in lower drywell un CCI Disposition 1.
GE perform analysis to address concern 7.
Staff review and evaluation of GE analysis i
I
i 11.
SAMDAs issue: ACRS briefing on SAMDAs Disposition
- 1. Staff to finish SAMDA evaluation 2.
Staff to brief ACRS on results during June 1993 meeting 12.
Equipment Survivability
~
issue: Equipment required to operate in a severe accident Disposition 1.
GE should provide a roadmap of equipment relied upon for severe accidents and the environmental conditions where it is.to function
- 2. Staff review and evaluation of GE roadmap T
A
(
l c
j,,
i ABWR PRA ISSUES ISSUE CONCERN ACTION Submit final SSAR Staff awaiting GE's submittal GE, 8/1/93 of a final SSAR update. Staff has received many mark ups.
LOCAs Outside of Staff having difficulty reviewing NRC, 5/93 containment GE's submittal.
Staff will attempt to complete review with out further GE submittals.
GE should include these results in ABWR risk profile.
Requantify PRA GE needs to reflect GE's modified GE, 8/1/93 position on ECCS pump capabilities and LOCAs outside of containment in risk profile.
Containment isola-GE' recent change in ECCS pump GE, ?
tion failure due to capabilities may change conclusions seismic events on capability of plant to withstand containment failure.
DHR study Staff reviewing GE's DHR submittal. NRC, 5/93 Being reviewed by contractor and due April 1993.
Internal floods Staff reviewing GE's internal NRC, 5/93 flooding analysis.
Being reviewed by contractor with report due in April.
PRA-based seismic Staff and contractor reviewing NRC, 5/93 margins analysis GE's margins analysis. GE to submit updated analysis 3/31/93.
Contractor report due 4/1/93.
PRA-based ITAAC GE has received staff comments on GE, ?
its draft "first step" insights that are to be passed along to COL applicants.
GE and Staff agreed to process for developing PRA-based ITAAC insights in San Jose.
Staff to provide further markups of GE drafts.
GE to upgrade its submittal. Next step is identification of Tier 2 insights.
Site-specific verif.
Staff awaiting for Commission' NRC, ?
of external events action on SON-0F-SECY paper.
GE has no action unless mandated by Commission. 2
ISLOCA SPSB will close issue when SRXB GE, ?
is satisfied with GE' submittals.
Fire barrier clari-Staff waiting for GE clarification GE, 8/93 fication of fire barrier qualification for non-safety equipment penetrations.
COPS design In January staff identified GE, ?
possible vulnerebility in COPS design.
GE agreed and said it would modify design.
Staff waiting for new design.
ECCS pump temperature GE changed capability of ECCS GE, ?
capability pumps in ABWR to pump saturated water. Changes Class II sequences.
Staff awaiting GE submittal on sig-nificance of change.
EPGs vs PRA Recent GE submittal calls into GE, ?
question whether the ABWR PRA accurately reflects the EPGs for the ABWR.
G&' WO
~
'f ps /44 3 1, h5 1
The following chart is a summary of the status of issues raised by the staff concerning the ABWR PRA. This chart has been coordinated with GE to assure that it is as accurate as possible in portraying issue status. The chart is t
current as of March 29, 1993.
An issue is judged " confirmatory" in the chart if GE has submitted (by fax, discussion, meeting handout, or letter) sufficient information for the staff to draw its conclusion regarding the issue. Most of the information submitted by GE has been provided in a preliminary form. All information must be translated by GE into SSAR modifications that capture issue resolution. A few of the issues in the confirmatory list are being tracked there for completeness, although they were written up as " resolved" in the DFSER.
An issue is judged to be "open" in the chart if the staff is awaiting GE's response on staff questions or if the staff still has the issue under review.
[
t 1
P L
[
i f
li
~
r t
i 4
c STATUS OF ABWR PRA ISSUES March 29, 1993 ISSUE DESCRIPTION STATUS ACTION CONFIRMATORY ISSUES
- 1. RPS Reliability 0-1 (Closed in DFSER)
?
- 3. GE to defend 10RV S-2 frequency (Confirmatory Item 19.1.5.2-1)
- 4. GE to defend IORY C-1 (Confirmatory success criteria Item 19.1.5.3-1)
- 5. GE to defend one S-1 (Closed in unplanned trip per year DFSER)
- 6. GE to evaluate 0-2 (0 pen Icem
.t support system failures 19.2.1.5.2-1) i as initiating events
- 8. Confirm ATWS success C-2 (Closed in criteria DFSER)
- 9. Confirm RHR success SC-1 (Cicsed in-criteria DFSER)
data 19.1.5.4-1) c
- 12. GE to justify test C-4A (Confirmatory and maintenance data Item 19.1.5.5.2-1) analysis i
sensitivity to outage 19.1.5.5.3-1) times and surveillance intervals l
HPCF pump failure data DFSER)
- 15. GE to correct S-11 (Confirmatory credit taken for fire Item 19.1.5.4-1) water
- 17. Staff quitstioned S-5 TO S-8, 1-14 seismic cacacity of the (Confirmatory Item followir.g equipment:
19.1.6.3.2-1 and fuel assembly, flat-part of Open Items bottom tank, diesel 19.1.2.2.2-1 and generator, electrical 19.1.6.3.2-2) equipment
- 18. Staff proposed use S-10 (Closed in of LLNL hazard curves DFSER)
Y
- 19. GE to address SA-1 (Closed in hazard curve DFSER) uncertainties
- 20. GE to confirm I-10, 0-21B (0 pen i
seismic capacities of Item 19.1.2.2.2-1) equipment and incorporate into design specifications
applicant to a specific Item 19.1.6.3.2-1) seismic walkdown technique
- 24. GE to correct the S-3 (Confirmatory treatment of firewater Item 19.1.5.4-1) in the Seismic Class II CET
^
" requirements" and 19.1.2.2-1) insights to " Interface write up"
- 27. Determine if CETs 0-13B (0 pen Item need to address 19.1.7.2-1) wetwell-dr>vell bypass
- 28. Modify CETs for 0-17A, -178 (0 pen severe accident Items 19.1.7.5-1, phenomena 19.1.7.5-2, 19.1.7.6.1-1, 19.1.7.6.2-1, and 19.1.7.6.2-2)
- 29. Flashing during C-6 (0 pen Item venting (pool swell) 19.1.8-1)
- 30. Justify aspects of 0-14 (0 pen Item rupture disc set point 19.1.7.3-1)
- 31. Assess the impact 0-168. 0-18E. (0 pen of CCI on source terms Items 19.1.7.5-1 and 19.1.8-1)
- 32. Uncertainty 0-18A, -18B, -18C Analysis (0 pen Items Identify risk 19.1.7.7-1, significant 19.1.7.3-1, and issues from 19.1.7.4-1) previous BWR studies Screen issues for t
applicability to ABWR
- 33. Rupture disc S-9 (0 pen item operation before 24 19.1.7.3-2) hours
- 35. Credit for COPS S-4 (0 pen Item 19.1.7.3-1)
i
{
~i-Insights 19.1.2.2-1)
- 37. GE to compare PRA 0-1B (0 pen Items-5 sequences from 19.1.2.3-2, operating BWRs to the 19.1.5.11.2-1)
ABWR PRA sequences and identify why ABWR has lower CDF
- 39. AC Power Recovery Not an issue in DFSER.
- 40. Net risk impact of 0-15 (0 pen Item passive flooder system 19.1.7.4-1) 4
- 41. Backend Uncertainty
'0-18C (0 pen Item Analysis - Perform 19.1.7.7-1) sensitivity analyses for issues of potential e
risk significance to ABWR i
iv
- 42. Uncertainty 18E, 0-16 (0 pen Analysis - Treatment of Items 19.1.7.5-1 and CCI. coolability in CET
-2)
- 43. Uncertainty 0-18D (0 pen Item.
t Analysis - Treatment of 19.1.7.6.1-1) i direct containment l
heating in CET
- 44. Consequence related CA-1,2,3 issues (Confirmatory Item
- site acceptability 19.1.9-1) Staff
.j
~- correct weather believes that no-i treatment further action
- revise consequence required by GE.
analysis as part of PRA update
- 45. Fire analysis input Open Items to' RAP 19.1.2.2.2-4 and 19.1.6.4-6 t
i I
i
.... ~. - -. -.
i
- 46. GE is to list 0-21 A (0 pen Item assumptions / reliability 19.1.5.4-2) i 3
values for systems that are not part of the ce'rtified design, but j
are modeled in the PRA t
(GE l
seismic capacities of to submit by-systems not in the 12/31/92) Open Item certified design 19.1.6.3.2-1
- 48. GE to use PRA I-15 (0 pen Item insights to suggest 19.1.5.9-1) 1 areas to be added to the ABWR reliability assurance program
- 49. Spread of smoke in Open Items 19.1.6.4-l' safety-related 2 and -3 bu4.1 dings
- 50. COL applicant to Open Item 19.1.7.5-1 use basaltic concrete in constructing containment.
- 51. Accident sequence Confirmatory items classification 19.1.5.8-1,.
inconsistencies 19.1.6.3.6-1
- 52. Uncertainty 0-18G (0 pen Item Analysis - Treatment of 19.1.7.2-1) wetwell-drywell bypass in CET (formerly Open i
Item 3 in PRA Issues Status Report)
- 53. Accident management NRC-2 (0 pen Item (formerly Open Item 4
????)
in PRA Issues Status Report)_
- 54. SAMDA/NEPA NRC-3 (0 pen Items submittals (formerly 19.4-1, 19.1.2.4.3-Open Item 5 in PRA 3) i Issues Status Report) t 8
i
~
I
- 55. Human factors in C-5 to I-7 (0 pen PRA (C-5, 0-7 thru 0-Items 19.1.5.6-1, 10, I-2 thru I-7) 19.1.5.6.1-1, (formerly Open Item 9 19.1.5.6.2-1, in PRA Issues Status 19.1.5.6.3-1)
Report) e 6
e 7
e
~
ISSUE DESCRIPTION STATUS ACTION OPEN ISSUES
- 1. GE needs to take its Staff has reviewed or is GE's action to informal submittals and reviewing GE's partial submit final SSAR write them up in the submittals as they are writeup. Staff to SSAR.
received.
then compare GE final with GE draft submittals and faxes. Anticipate final SSAR submittal about July 1993.
- 2. GE is to analyze GE's previous submittais on GE was told on LOCAs outside of these LOCAs were not 3/22/93 to containment (0-4) acceptable to the staff or incorporate ex-the ACRS. The staff had containment LOCA numerous problems with the frequency into level GE approach and asked GE to 1 and 3 analysis.
perform a traditional event The staff is tree / fault tree analysis of continuing its LOCAs outside of review and containment rather than a attempting to split fractions arguement, determine if it can GE submitted reanalyses on come to an 11/5 and 12/17/92. Staff appropriate comments to GE in mid-conclusion based on January 1993, the GE submittals to date. 0-4B (0 pen Item 19.1.11.4-1)
- 4. Requantify PRA December 1992 issues GE to respond to resolved between GE and March questions staff. New issues raised concerning Class II during w\\riting of FSER and treatment in level 1 due to GE's changes in and level 2.
PRA-1A assumptions of (0 pen Items capabilitries of ECCS 19.1.5.11.2-1, pumps. GE told by staff to 19.1.5.7-1, 19.1.10-provide legible level-1 1)
ETs. GE told by staff in March 1993 to include results from updated analyses of LOCAs outside containment and modified Class II sequences in risk profiles.
1 L
i
- 6. Containment GE has indicated that no GE analysis must isolation failure pathways out of containment investigate the during seismic event.
have HCLPFs less than 0.69 effect of changing h
This is acceptable to the the assumed staff. However, on temperature at which February 24, 1993, GE told saturated water can the staff that its PRA be pumped by the assumptions about the ECCS pumps. GE has capabilities of the ECCS not provided an pumps were incorrect. GE estimated date for is to address the effects completion of their of the new assumptions.
updated submittal.
(0 pen Items... and 19.1.6.3.2-4 (0-4, 0-19)
- 7. GE to provide decay GE submitted heat removal responses to earlier reliability study staff questions on 12/18/92. Staff contractors are to submit their write up on the GE's modified DHR analysis on 4/1/93.
Staff will complete its review and write up of these issues at the end of May.
0-20 (0 pen Item 19.1.2.2.3-1).
- 8. GE to provide
- The staff has received a GE submitted updated internal flooding description of the flooding analysis on analysis subcompartment analysis of 12/18/92.
Staff a high prassure pipe break requested in the kWCU room. Analysis clarification of being checked by ECGB.
analysis on March 24, 1993. Staff has contractor reviewing flooding analysis.
Contractor report to staff due on April 1, 1993.
ECGB to complete its review by ??????.
1-9 (0 pen Items 19.1.2.2.2-5 and 19.1.6.5-1).
- 10. GE to provide PRA-GE to resubmit PRA-I based seismic margins based seismic analysis margins analysis that answers staff's questions on 3/31/93. Staff has contractor reviewing GE's older margins t
analysis submittal.
Contractor's report due April 1, 1993.
SA-2 (0 pen Items 19.1.6.3.2-1, 19.1.6.3.4.1-1, 19.1.6.3.2-5 and Confirmatory item 19.1.6.3.4.2-1)
- 11. GE to provide PRA-In a January meeting in San On 3/6/93 GE faxed a based input to ITAAC Jose, the staff and GE partial draft agreed upon the outline of version of PRA-based a process to identify insights. On issues that should be added 3/24/93 the staff to the design control faxed its comments document based on PRA to GE. GE has not insights. Further set a completion discussions with GE by date for submitting phone during March. GE the rest of the appraised of staff's views insights to be of GE's draft submittals.
passed on to a COL applicant. On 3/26-GE and staff discussed insights.
GE to document its process of developing insights.
GE to provide insights at a level of detail suitable for use by a COL applicant. Staff to mark up GE's draft submittals again to highlight those areas that meet staff expectations.
Staff to show marked up version and staff comments to staff ITAAC experts for their comments.
The next stage after review of the
t insights by the i
t staff is the-
'I determination by GE about which of these i
insights belongs in Tier 2.
No date has i
been postulated yet by GE.for completion i
of this step. Last i
step is submittal of Tier 2 information to GE/ staff analysts to determine which Tier 2 insights' belong in Tier 1.
GE and the staff.are working hard to iron out the process.
PRA-3 (0 pen Items 19.1.2.4.2-1, i
19.1.5.2-4, 19.1.5.4-3, 19.1.6.3.2-3, 19.1.6.4-4, 19.1.6.4-5)
- 12. Site specific The staff's draft SECY The staff's action l'
design verification:
paper on Design-is to wait for the external floods, certification and Licensing Commission to come
+
transportation hazards Policy Issues Pertaining to to a' decision about-Passive and Evolutionary this policy matter.
Advanced Light Water GE believes that it-Reactor Designs states that need not take any.
10 CFR 52.47 requires the action. The staff analysis of both internal agrees that'no and external events. At action on the part i
the Design Certification of GE is warranted stage, site-specific events at this time.1-8 such as tornadoes and extreme wind may be enveloped using bounding r
analyses to show that the events are insignificant.
In performing the COL review, the staff will review the site-specific characteristics to ensure that events enveloped by the bounding analyses have a
been properly addressed.
I i
l l
- 13. GE is to analyze The Reactor Systems Branch SRXB. 0-3 (0 pen
(
interfacing LOCAs is not satisfied with the Items 19.1.5.2-2 and resolution proposed by GE
-3) for its upgrading of low pressure system piping.
This issue will remain open until GE/ staff agree on upgrade criteria and the staff PRA people can review it to determine if the resolution has any negative effect on its conclusions.
GE has submitted its proposed resolution to this issue.
- 14. Fire barrier GE to provide wording in Staff awaiting penetrations SSAR that states that all marked up SSAR.
penetrations will be Open Item 19.1.6.4-1 qualified to same level regardless of whether they contain safety or nonsafety equipment.
- 15. Containment On January 21, 1993, the On 3/5/93 GE overpressure between staff identified the indicated it would
(.
rupture discs (new Open potential for the volume modify the COPS Item) between rupture discs being design to remove one pressurized before or of the rupture during an accident. Such discs. The staff is an event would prevent the awaiting design rupture discs from opening details. GE has not at their design pressure.
provided an estimated date for submittal of this information.
- 16. Suction temperature GE had previously indicated GE is investigating at which ECCS pumps can that ECCS pumps could the effect that operate (new Open Item) operate all the way up to lower pump design the COPS opening pressure, temperatures will pumping saturated water.
have on its PRA On 2/24/93 GE told the
- results, staff that it had modified assumptions, and its claim and now assumed insights. GE has that only the RHR pump's not provided an design is qualified to pump estimated date for to the COPS pressure submittal of this setpoint. This information.
particularly affects Class II sequences (loss of containment cooling).
t
i'
.I o
i
.PRA -(new Open Item) submittals -it is unclear GE aware by fax and.
j whether the ABWR PRA by conference call i
accurately reflects the of this concern.
i ABWR EPGs. A quick-review of the EPGs in the SSAR shows that there are i
apparent inconsistencies with some PRA assumptions.
i t
1 f
1 4
t I
i
~
];
i 4
I 1
l 1
t t
k-I t
i
STATUS OFPRA-RELATED OPENISSUES (FSERSECTION 19.1)
No.
ISSUE STATUS 2
LOCAs Outside of Containment Submittal of March 1 is believed to address aII I
remainingissues Staff feedback was expected lV24. Now expected 4/1.
4 Requantify PRA Requentification submitted 1992. Remaining questions answered 12/1W92. Minor clarifications provided last week. Staff feedback expected soon.
Seismic Marains-Related:
5 Seismic Capacities ^
Analysis to be resubmitted.V31 to answer remaining 9
'ContainmentIsolation NRC questions.
13 Margins Analysis 7
Accident Management GEsubmittalcomplete. Reviewerthinks OK. Staff was to complett FSER input 2/2W91 New schedule: V31.
22 0
2 Jg()k31;D l
C
._______.___.._._.____..__.__.,..-.._.___,____.-.._...~.L,_.-.~,-..____--_...
STATUS OF PRA-RELA TED OPEN ISSUES (Continued) 1 No.
ISSUE STATUS 8
SAMDA Submittal Update submitted 12/1G92. Under staff review.
Reviewer thinks OK.
Staff review should be completed 4f31.
10 Decay Heat Removal Reliability Study Under review by NRC contractor. Staff to complete review by late April.
11 InternalfloodingAnalysis Recent questions answered. Additional discussions heldW29. Stalf to complete review bylate April.
2-
STA TUS OF PRA-RELA TED OPEN ISSUES (Continued)
No.
ISSUE STATUS 12 Human Factors GEsubmitted 12/15/92. Staffindicates now confirmatory.
I 14 PRA - Based " Input to ITAAC" Fourparts to staff as of 3@93: level 2 Fire, Flood, Seismic. Additionaldiscussion today.
Remaining parts: Level 1, bypass, shutdown.
15 Site Specific Design Verification for Staff willrequire action by applicant. No further GE ExternalHazards action is needed.
3
=
STA TUS OF PRA-RELA TED OPEN ISSUES (Continued)
No ISSUE STATUS 16 Interfacing LOCA
" Nth" GE submittal scheduled for.VJ1f)3, slipping to earlyApril.
1 SSAR Submittals Most responses are in the form of SSAR submittals.
Schedule for balance and review of staff DFSER being developed.
Recentissues without Numbers Potential for containment over-pressure Addressedby design modification; single line with one protection line to pressurire between rupture disk.
rupture disks.
ECCS pump suction from hot suppression NRC wants more analysis, expanded event tree and poolcould expose pumps to above consistencyreview: level 1, level 2. EPGs. To be i
design basis temperature.
discussed today.
+
..____.___..-___2.-.--_.._-.-...;.,_...-
,..,...s.
..m---.
., _-.,... _.. ~ - -.
w;,
j
.x i
l i
Major issues Raised in NRC March 12 Letter:
Class 2 Sequences j
i l
Class 2 Sequences /Early Containment I
Venting /ECCS Pump Qualification Staff: Need much more detailed event trees + questions on design t
details.
1' I
GE: More detailed trees not needed i
Inconsistencies in EPGs vs PRA I
RPV Blowdown with only RCIC available
.i I
l t
I t
i k
ll!
J@
, 4 I
- s
Class 2 Sequence Model
. Class 2"
- Core Cooling Success
- Containment Cooling Not Success
. Level 1 Event tree Asks:
Feedwater OK?
RCIC OK?
HPCF OK?
. At the first OK, ask:
t Containment heat removal OK?
If no, Class 2 to containment event tree
. Simple model which does not " Remember" reason for core cooling success, many conbinations possible, e.g.:
- RCIC - Condensate storage suction
- Suppression Pool suction
- RCIC + 1HPCF
- RCIC + 2HPCF
- 1or 2 HPCF - Condensate storage suction
- Suppression pool suction Recent staff questions suggest this need.
f 2
Containment Event Tree For Class 2 Sequences
. Simple Model 10-1 Recover heat removalin time? If, no t
10-2 (Before vent added) containment fail leads to loss of ECCS 10-2 Later in program, after added vent to prevent containment failure i
10-2 Fire water to prevent core damage 10-7 Used 104 espesis 10-6 of Class 2 go to core damage 104 in Level 1 results. Did not bother to credit vent and reduce CDF from 10-12 o 10-10.
t No modeling of:
- Manual containment venting at low pressure (conservative)
- Suppression pool heatup degrading ECCS pump performance (possible, but not likely)
- Recent staff questions suggest need for modelling t
3
Manual Containment Venting at Low Pressure
- No change from owners group EPGs.
Through 22 inch drywell, wetwell purge exhaust lines to much larger ventilation lines and out stack.
Preliminary calculation: at 1.7 psig containment pressure (isolation setpont) flow exceeds steaming rate from suppression pool.
Expect that radiation isolation setpoint not exceeded.-
Containment isolation is not expected.
Maximum suppression pool temperature 212F.
r 4
i
~
d
-l l
Core Cooling Pump Performance RHR (probably not available) designed for 358F.
j i
HPCF (probably available) designed for 212F.
l Normal suction is condensate If condensate not available and manual venting did.
j notoccur, higher suction temperatures (slowly rising to 340F) will occur.
l It may be easy to design for 340F with wlittle cost change.
GE is considering this option.
j RCIC designed for 170F j
Normal suction is from condensate. If not available, possible i
degradation.
4 Other pumps available (all with cold suction source):
l feedwater, condensate, firewater pumps.
If cold external source is used, containment water inventory j
1 willincrease and additional steam will be condensed.
Containment pressure could be slightly higher (10-20%
without credit for steam condensation)
THIS DETAIL IS NOT WORTH MODELING IN EVENT TREES WHICH WOULD BECOME VERY COMPLEX.
5.-
y H
R
O a
Other issues l
Minor inconsistencies, staff misunderstandings re: EPGs. Will address soon.
RPV blowdown with only RCIC available. EPG/PRA analyses not consistent. GE is considering what is the correct strategy.
6 p
h t
I i
k 6
e