ML20042D118
| ML20042D118 | |
| Person / Time | |
|---|---|
| Issue date: | 04/30/1989 |
| From: | Correia R, Eckenrode R, Goodman P, Lapinsky G Office of Nuclear Reactor Regulation |
| To: | |
| References | |
| NUREG-1342, NUDOCS 8905100248 | |
| Download: ML20042D118 (44) | |
Text
. -
G~usssr%
l 31
~.
%*# q 6
M II A Status Report Regarding Industry implementation of Safety Parameter Display Systems l
U.S. Nuclear Regulatory Commission Office of Nuclear Recctor Regulation G. W. Lapinsky, Jr., R. J. Eckenrode, P. C. Goodman, R. P. Correia pmREcp
+
0 E
PJ
[d '[,I, g
.e
'T s
g u
d 8905100248 890430 PDR NUREG ppg 1342 R
[
s 4
AVAILABILITY NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:
1.
The NRC Pubhc Document Room, 2120 L Street, NW, Lower Level, Washington, DC 20555 2.
The Superintendent of Documents, U.S. Government Printing Office, P.O. Box 37082, Washington, DC 20013 7082 3.
The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publica-tions, it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Document Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investi-gation notices: Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and hconsee documents and correspondence.
The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceed-ings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regula-tions in the Code of Federal Pegulations, and Nuclear Regulatory Commission Issuances.
Documents available from the National Technical Information Service :aclude NUREG series reports and technical reports 0 pared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained from those libraries.
Documents such as theses, dissertations, foreign reports and translations, and non NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.
Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Office of Information Resources Management, Distribution Section, U.S.
Nuclear Regulatory Commission, Washington, DC 20555.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library,7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copy-righted and'may be purchased from the originating organization or, if they are American National Standards, from the American National Standards institute,1430 Broadway, New York. NY 10018.
oe u..
g.
L NUREG-1342 A Status Report Regarding Industry Implementation or Safety Parameter Display Systems-
~
Manuscript Completed: December 1988 Date Published: April 1989 G. W. Lapinsky, Jr., R. J. Eckenrode, P. C. Goodman, R. P. Correia Division of Licensee Performance and Quality Evaluation Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 o ** *'%
/
o ABSTRACT This report provides a sumary of the results of the U.S. Nucicar Regulatory )
Comission staff's review of installed safety parameter display systems (SPDS at 57 nuclear units. The staff describes its rationale and practice for determining acceptability of sor.c of the methods for satisfying the verious requiremer.ts for SPDS as well as some nethods that the staff bos not accepted.
The staff's discussior, of identified strengths and weaknesses should aid licensees in solving sonie of the problems they raay be experiencing with their SPDS.
L l
l iii
S.
s-4 CONTENTS Page ABSTRACT.......................................................
iii ACKNOWLEDGMENT................................................
vii 1.
INTRODUCTION..............................................
1 i
11.
DISCUSSION................................................
2 III. EXAMPLES OF SPDS FEATURES OBSERVED IP PAST REVIEUS........
3 Ill.A RAPID, REllABLE, CONCISE DISPLAY...................
3 III.A.1 Concise Display...........................
3 III.A.? Rapid Response............................
4 t
Ill.A.3 Relittility...............................
6 Ill.A.3.a Data Validity..................
8 Ill.A.3.b Reliebility/ Availability.......
12 lli.A.4 Conditions When SPDS Sliculd Be Operational.
13 Ill.B CONVENIENT LOCATION AND CONTINUOUS DISPLAY.........
13 Ill.B.1 Convenient Location.......................
14 111.B.2 Continuous Display........................
14 Ill.C ISOLATION FROM SAFETY SYSTEMS AND PROCEDURES Al:D TRAINING...........................................
14 Ill.C.)
Isolation f rom Safety Systems.............
15 g
Ill.C.2 Procedures and Training...................
18 111.0 SELECTION OF INFORMAT ION FOR DISPL AY...............
19 III.D.1 Selection et Informetion for Display......
19 L
III.D.2 Prompt implementation.....................
20 L
lli.E HUMAN FACTORS AND SPDS DISPLAYS....................
20 L
Y
4 CONTENTS (cont)
Page Ill.F MINIMUM FLANT PARAMETERS FOR DISPLAY..............
21 111.F.1 Acceptable Farameters for PWRs...........
26 Ill.F.1.a Reactivity Control............
26 III.F.1.b Core Coo 11pg and lleat Rer.ioval.
27 Ill.F.1.c RCS Integrity.................
28 o
Ill.F.1.d Radioactivity Control.........
28 Ill.F.1.e Containment Conditions........
29 Ill.F.2 Acceptable Parameters for BWRs...........
30 lli.f.2.a Reactivity Control............
30 Ill.F.2.b Core Cooling and Heat Removal.
30 ll1.F.2.c Pressure Vessel Integrity.....
31 III.F.2.d Raoioactivity Control.........
31 III.F.2.e Containment Conditions........
32 IV.
DEFINITIONS OF AN OPEF.ATIONAL SPDS.......................
32 V.
SuttMARY..................................................
33 F.EFERENCES.....................................................
34 DICl.IOGRAPHY...................................................
35 vi
~.
1 r
s ACKNOWLEDGMENT This report wes prepared by the U.S. fluclear Regulatory Comission. (NRC),
Division of Licensee Perf ormance and Out.lity Evaluotion, Humen factors Assessr:ent Branch with assistance from Science Applicaticas Internationhi Corporation (SAIC) and Comey Corporation. The NRC Hutian factors Assessment Branch specificLlly acknowltages the efforts of Joseph DeBor of SAIC and Gary Bethke of Comex Corporation in develorir.g this report.
i vii
a
+
I.
INTgDUCTION Beginning with the TMI Action Plan, NURtG-0660 (Ref.1), NPC has issueo several regulatory and review guidance documents relevant to the requirement for all licensees and applicants to install a safety parameter display system (SPOS).
Documents issued included the following:
1 NUREG-0737,ClariticationofTHIActionPlanRequirements(Ref.2)(Ref.3)
NUREG-0696, Functional Criteria for Energency Response Facilities NUREC-0835, Human factors Acceptance Criteria for the Safety Parameter Display Systen, Draf t Report for Coment (Ref. 4).
On December 17, 1982, Generic Letter No. 82-33 transmitted Supplement 1 to NUREG-0737 (Ref. 5) to all licensees and applicants. Supplement I condensed existing NRC guidance regarding emergency response capability into one document. The SPDS, TMI Action Plan Iten 1.0.2, was one of the five items addressed in Supplement I to NUREG-0737.
When Supplement I to NUREG-073Fwas issued, the steff recognized that the action plan items regarding emergency response capability were far-reaching concepts with a high degree of interrelationship. Alse at that time, some licensees indicated that their Commission-approved schedules for implementing these re-quirements could not possibly be met. Therefore, in Supplement 1, the staff teck a less presdriptive approach to applying its requirements. First, the requirements were stated as general guidance that would not alter or replace previous guidance, but would put it in perspective by identifying the elements that the staft believes essential to upgrading emergency response capability.
ment 1 to NUPEG-0737) quirements were described in a guidance document (Sup Second, because the re and were actually imposed as requirements by other, plant-specific regulatory mechsnisms, such as commissinn confirmatory orders or license conditionr, all licensees and applicants had the opportunity to negotiate reasonable, achievable, plant-specific schedules.
Because the staff believed that the SPDS could provide significant safety inprovement to nuclar power plant control rooms in a reletively short time, i
licensees and applicants were urged to install a system without undue delay.
Further, the NRC allcwed licensees and applicants to install the systems.
withcut prior approval to u.rure that the NRC review process would not delay SPDS implementatior.
However, licensees and applicants were given the l
cption.of pre-implementation review and approval if they so desired.
On December 26, 1984, theNRC"StandardReviewPlan"(SPP),NUREG-0800(Ref.6),
was revised to incorporate Section 18.2, " Safety Parameter Display System," and Appendix A to SRP Section 18.2, " Human Factors Review Cuidelines for the Safety Paraneter Display System." This revision described the acceptance criteria, review procedures, and epplicable guidance for NRC staff to use in reviewing SPDS.
+
1
I.'
i Based on its cperatinc,, license reviews at plants under construction, the staff discovered that-serious technical problems existed in the irplementation of SPDS at some units. To deternine whether these problems were being experienced at operating plants cs well, the staf f visittd six operating reactors from July to t!nvember 1955. At the conclusion of this survey, the staff reported the following findings in hDREG/CR-4797 (Ref, 7):
Observttions from these visits strongly suggest that utilities may be having major difficulties in designing and implementing their SPDSs. As. long as two years af ter having been declared operatienti, three of six SPDSs were found to be highly un-relieble, displayed inaccurate inforr.ction, and of fered con-siderable potential for misleading and confusing operators.
Several of these SPDSs appeared to face many months of continued developmental effort. Operator acceptance was often very poor because operators had not been involved in the development process and because the systems were so undependable and un-reliable; negative attitudes in some cases extended also to supervisory and management personnel.
In short, if the SPDSs reviewed were representative, many SPDSs may nct achieve the goal of aiding control room operators in rapidly and relict'ly determining the sefety status of the plant c'uring an emergency.
The staff subsequently issced NRC Inspection and Enforcement (IE) Information Notice (IN) 86-10, "Saf ety Parameter Display System Malfunctions" (Ref. 8) to inform licensees of the results of the survey program. Since February 1986 when IN 86-10 was trensmitted, the staff has received several reauests for extensions of implementation schedules, requests for clarification regarding the definition of an " operational SPDS," and questions about SPDS deficiencies and their resolution. These reauests appear to indicate that confusion still remains regarding the basic reouirements for SPDS, the staff's review process for SPDS, or both.
This report was developed to describe the staff practice for determining the aCCepttbility nf some of-the methods used to implement tne SPDS requirements.
The following sections document various methods used by applicants and licensees to meet the SPDS requirements. The report also discusses the rationale used by the staff to determine whether an SPDS was acceptable or unacceptable. By prcviding a history of its past revicwt, with a full discussion of staff practices and exceptions, the staff expects that industry will be better able to urder-stand and implement ecceptable SPDSs.
M.
DISCUSSION The following sections restate the major requirements for SPDS and describe some of the varicus methods by which licensees and applicants beve responded to those rcouirements. The staff retionale and practices for determining the acceptability or unacceptability of each metttd is stated and explained.
i
?
.. ~ _..
__...__....m.
Wher u licensee's or applicant's method ior satisfying a requirement was unacceptable, the staff ratic-nale and practice is ful!) explain (d, including the unoerlying basit for the requirement ard associated regulatory guidance.
The discussion of staff prectices sonetimes necessitates the definitior cf terms, general principles, and assumptions. When this is the case, these items have been highlighted by underscorirg or as netes within the text.
111.
LXAMPLES Of SPDS FEATUPES OBSERVED IN PAST REVIEWS III.A.
PAPID, RELI ABL E, CONCISE DISPLAY The SPDS should prnvide a concise display ci critical plant variables to the control room operators to aid them in rapidly ant reliably determining the safety status of the plant. Although the SPDS will b( cperated during normal operations as well as during abrormal concitions, the principal purpose and function of the SPOS is to aid the control room personnel durirg abnormal and emergency condi-tions in determinirp the safety status of the plant and in assessing whether abnormel conditions warrant corrective action by (control rcom) operators to avoid a degraded core.
This can be particularly inportant during anticipated transients and the initial phase of an accidtrt.
(NUREG-0737, Supplement 1. Section 4.1.a)
This requirement is interpreted by the staff as ccntaining five essentiel elements or concepts:
o concise display o
critical plant variables c
rapid response e
reliable o
conditions when SPOS shouId be cperationtl These elements art discussed below, except for the cer. cept of criticaI plant variables that is discussed in Section Ill.F of this report.
Ill.A.l.
Concise Dispity Of the units reviewed thus f ar, 37 acccptably satisfied this requirement.
Twenty-six units did so by providing a single display of critical variables on a cathode-ray tube (CRT) device. Others provided two CRT displeys in a side-by-side configuration, usually with plant process variables on one screen and radioactivity control s eriables en the other. The staft tound this method acceptable contingent on the f t 11 set of SPDS variables being "cortinuously displayed" (sec ill.B.2 for acceptable rethods of providing ccrtinuous display).
Twerty units provided a single CRT display augnented by conventional control room instruments. The statf accepted this method only in those cases in which it was impractical to include the data from the conventional display on the LRT display because it was not part of the computet data bast; the conver.tiona l 3
display was easily readeble from the SpDS user's position; the parameter displayed on the conventional display was defined as part of the SPDS parameter set; and, a commitment was made to preserve the visual relationship of the SPDS and the conventional display..
In several cases the actual words or values on the conventional display could not be read from the SPDS user's position. However, in some of these cases the staff found this situation acceptable because the information being transmitted was a simple status, e.g., on/off light, or open/close light and the display was enhanced by either pattern-recognition or location highlightino.
In a few cases the staff did not accept the mixed mode display concept.
In one system the conventionally displayed information was required to be read but could not be, end it was not amenable to pattern recognition.
In the others, the conven-tional display was not in the SPDS operator's field of view and would necessitate a change of the operator's position to be read.
The basis for the requirement for a concise display stems from the lack of centralized display capebility in the THI-2 controi room. Control room person-nel could not easily develop an overview of plant conditions in the Till-2 control room because the available displays were widely dispersed and provided component-level information. This. situation hampered decision-making because it did not facilitate the comparison of variables or the integration of various symptoms within the same timef rame. At the same time it induced some unproductive be-haviors such as fixation on a 1imited set of plant variables, and undue attention to irrelevant plent anomalies while safety functions were in jeopardy. There-fore, the staft found unacceptable any SPDS that made it necessary for the user to leave the SPDS to gathcr information necessary to assess the status of the critical safety functions, or otherwise caused the operator to turn attention away from the primarf SPDS location.
III.A.2. Rapid Responso Note: The staff assumes that in order for a control room operator to determine the safety status of the plant rapidly, five conditions should exist:
(1) Information presented should represent current plant conditions, i.e.,
real-time data,
(?) Information should be sampled at a rate that assures that no meaningful
.date, or trends in that data, will be missed, i.e. the sample rate should be sufficient to assure that data is of appropriate resM ution; (3) Informetion should be updated on the display often enough to assure that changes in plant status will not be masked or lost by the passaae of time, i.e, update rate should be censistent with, and sufficient to represent, expected variations in plant safety parameters; (4)
Information should be rapidly accessible to the operator, i.e,1s stem response times of about 2 to 3 seconds and no greater than about IIITeconds maximum; y-4
(6)
'nformation should be in a simple, easy-to-ur.derstand format that can be rapidly comprehended.
Pany of the SPDSs reviewed by the staff satisfied this requirement by instalting systems that provide real-time data that is sampled and updated at meaningful rates. Acceptable sampling rates were judged in the context of required res-olution, e.9, reactor coolant system (RCS)- pressure reovires data resolution in terms of secords while certain radiation levels need (or can enly) be sampled every 30 seconds, 60 seconds, or several minutes.
In its reviews, tbc staff urged licensees and applicents to minimize differences between sampling rate and update rate so that operators would not be misled, e.g., a variable that is updated on the display screen every P. seconds but is sampled only once a minute will appear to be stable, when it may in f act be increasing or decreasing. The staff exercised flexibility in applying these principles during reviews, depend-ing on the instrumentation availeble and the variable being measured.
Acceptable systems provided data that was consistent with conventional controi room instruments. They also provided simple displays that allowed immediete recognition of normal, abnormal, and energency conditions.
System response times to operator cornands were 10 seconds or less, from the initial keystroke or cursor movement to updated screen, llote: Good human engineering practice prescribes that system response time to requests for graphic output,-such as typical SPDS displays, should be no greater than about 10 seconds. When system response time exceeds 15 seconds, the operator should be provided with feedback that there will be a delay in servicing the user's request or command.
Overall, these' characteristics yielded systens with which an operator can see a current, Pccurate overview of the plant in ten seconds or less. Most of these are enhanced by summary status indicators or pattern-recognition aids that allow operators to see at a glance whether any, pJant safety function is abnorral.
A few systems did not display real-time data for at least some of the SPDS varlebles. Because the SPDS is intended to coordinate a variety of widely distributed control room instruments into one concise oisplay, real-time or near real-time data is necessary to provide the operator with an overview of the plent that is the equivalent of and is consistent with the control room instruments it represents.
Some systems were found deficient because sanpling rates were too slow. Others were deficient because sampling rates cculd be changed without the knowledge of the operators.
In cases where the sample rate was too slow, it was the staff's judgement that significant changes in plant state could be masked and cperators could be misled.
In cases where the sanpling rates could be changed, the operators were generally not aware that the sampte rates were variable and could be changed--they assumed that all data was being sampled at a rate equal to the display update rate. Because there were no mechanisms in place for controlling changes in sanple rates and operators were unaware of this capetility, these changes presented some risk that operators would be misled or confused by the Srps if the sampling rates were changed.
s.
b
l s' Eleven units had systems that the staff found to be unacceptably slow in o
dispicying changes in plant safety status.
Several of these were found to be Uracceptable because the rystem did nct update detc automaticclly,
- Rather, these systems would take a " snapshot" of plant conditions when req (uested to do so by a user. This feature was found to be unacceptable because 1) the data displayed is ouickly outdated; (2) it ray rot be a represer tative sample of plant conditicr.s; (3) discrimination o' trends necessitates the operator doing successive iteratiers of manual updates; t r.d (4) in sen.e systems, there is a risk that an old dispiry screen could be mistekui for new data.
Scire systens were unacceptable because the re; pense to operator commands was unpredictably variable and slow. Generally, these were systeus in which SPDS shared tino vith other functions or which were overloaded. The unacceptably slow response times rarged from about 30 seconds to several minutes. Usually these systems would also vary in response tinet such that operators never knew ubether the system had cccepted a ecriaand and was executirg it or had missed the coninand, ionored the conrnand, or crashed completely.
In sorre systens this led operators to try to key ir. the connand train which would " lock up" the keyboerd and distble the system for minutes or hours.
Some systens were deficient in net allowing operators repid access to data. Such systems were generally "conmand-driven," requiring that the user renember or look up en alphanumeric command and key it in.
These systeras were found to be unac-ceptable if a trained operator could not quickly call up an SPDS displey. The reviewers found a system unacceptable if operators had to censult point identifier directories sr.o could not find correct entries, r.r if they had frequent nis-keying errors that resulted in long response tinies.
III.A.3 Reliability Hete: The staff defines reliability at the systera level. Therefore, acccptable systens are those that are reliable in terns at hardware, sof tware, and operator performance. Reliability, as defined here, includes two general concepts:
(1) reliability--the degree to which the systun will repeetedly produce the same results under identical cenditions over time art (2) validity--the degree to which the systor, will produce correct and accuratt results that the user will believe, i.e., rely on. Of the 57 units reviewed thus far, 12 heve installed systems that were considered adequately reliable.
From the hardwcre point-of-view, these systems are characterized by the use of backup storage and automatic restart capetilities, uninterruptable power supplies (UPS), independent and recordant hardware for critical parts of the system, on site or near-site maintenance support, and adequate inventeries of sparc parts.
Regardino software reliability, these systems were developed using verificction and validatien (VLV) methodology eouivalent to that described in NSAC-39, "Ver-ification and Validation for Safety Parancter Display Systems" (Ref. 9). This methodology provices some assurance that the SPDS sof tvare has been adequately designed, iraplemented, cr d tested.
l 0
l e
, From the operator performance perspective, the reliability of these acceptable systems was tested by some form of " Man-in-the-loop" test program in which trained operators used the system during emergency event scenarios. Operators were trained in SPDS operation prior to declarico the SPDS operational ir the control reem. The perception of operators interviewed at these plants is that the SPDS is tr reliable as (or more reliable than) any other instrument in the control rocc. Generally, operators at these plants use SPDS routinely and on a daily basis.
Note: The term " operator' as used in this document refers to "SPDS operator" or user; those users e.rt defined by each licensee and may include Shift Supervisors, STAS, and emergency respense facility personnel as well es rentrol room operators.
Peliable systems also provided some method of data validation. Minimelly, they all 4
provided at least a comperison of redundant sensor readings for consistency, and f
range-checks to ider.tify failed instruments. Most also 'arovided other methods such as coincident logic schemes, and analytical algoritms to shif t setpoints during mode changes. These characteristics yielded systens with estinated or measured computer availabilities of prcater than 99 percent, and that operators were reerona)1y confident that it could be relied upon to display plant data j
correctly.
Many systens were found to be unreliat.le, suffering f rom frequent failures
' ranging fron keyboard " lock-up" to total system crash. Although these systems contained some of the characteristics of acceptable systens, such as nultiple processors and UPS, they also centained design flaws that allowed single failures of hardware or software to take the system down frequently and/or for long periods of time. Nine systems displayed inaccurate or incorrect information that could mislead operators.
False alarras were also ccmmon. These problems undermined operater confidence in relying on the SPDS.
In fact at several plants, operators were instructed ret to use SPDS at all.
In general, these systens were not designed using an acceptable V&V program. At several plants, the SPDS was declared operational and installed in the control room before development of the design was complete and before operators were adecuately trained.
Under these circumstances, operators learned to nistrust the SPDS.
In many cases, " man-in-the-loop" testing was not done prior to declering the SPDS operational. Most plants with unreliable systems had inadequate naintenance and softwart euality control prcgrams as well.
These systent were unacceptable either because they were to unreliable that operators did not use them--thus, they did not provide aid to the operator as recuired by Supplement 1 to NUREG-0737 or because they provided inaccurate or false infornation that could misiced operators, thus posing a serious safety l
- question, in instances where the steff found SPDSs that had inaccurate or false information, licensees were instructed to shut the systcm oft to prevent crerators from using bad data that might lead to unsafe operation of the l
facility.
7
Although no SPDS was judged ur. acceptable based solely on shortcomir.gs in its V&V program, it was apparent to the staff that those plants that did not inplement a good V&V program concurrent with their design process were usually plagued by single-failure flaws in the hardware configuration, significant sof tware errors, and poor acceptance by operators.
High relietility should be butit into a system by means of YLV methodology, good sof tware maintenance, and establishec' c;uality assurance policies. Test programs alone cannot assure that a system will provide reliable information under the full scope of emergency conditions, nor can one-time test programs address the viability of e system over time if uncontrollec' er undocurnented modifications are possible.
Because there is no single measure of system reliability, the staff's iudgment has been based on three general measures in combination:
s (1)estimatedor measured computer availability (eovel to or greater than 99 percent, (2) observed inaccuracies and false alarms during arf NRC audit, and (3)) operator survey results. The last two of these have been oivcn the most weight because they reflect the reliebility of the final product, the data being displayed, rather than reflecting the reliability oi-the tools being used to process end generate the final product.
No SPDS has been found unacceptable based on only one of these measures.
Each is used as a confirmation of the others.
Because data validity and system reliability have such a creat impact on the utebility of SPDS, examples of qpecific problems are includec below to provide further insights to licensees'and applicants for avoiding connon pitfalls.
Ill.A.3.a.
Data Validity Lack of Data validstion Some systens failed to incorporate data validation technioves of any kind.
These systems did not fulfill the requirement te provide a reliable display and in effect, complicated the operator's task of recognizing challenges to plant safety.
Lack of date validation places the burden of identifying velid readings on the operator.
Little bu4cfit is geined from placing unvalidated readings of loop temperatures, for example, or a computer screen in addition to the control boards.
In some cases, the operator vas presented with averages of unvalidated inputs.
In these cases, the everaging process may even mask a failed input from the operator, thus the operator will be misled by incorrect information.
For example, in a PWR with three reactor coolirg system pressure transnitters, one of which is feiled high, system pressure would have to be below H00 psi before an SPDS e.verage of unvalidated inputs would indicate a concern.
Furthermore, the input of unvelidated values to algorithms that determine critical safety furction status can produce incorrect status indications.
Errors in Single Nunerical Computer Points Post SPDS systems hdve et least a few data points that do not agrce with the analog or digital data that is displayed on the control room boards.
In almost every case, this situation can be avcided. The most common of these errors are describcd below, p.
8
Some SPDS flow indications are continuously invalid or incorrect during normal operations. This destroys the credibility of SPDS as a tool to be used and trusted to display plant safety information. For example, during normal power or hot standby operation of the plant, numerous systems are not operating or are in a standby mode.
Examples of these systems include containment spray, euxiliary or emergency feedwater, safety injection systems, diesel generators, and wide range containment sump level monitors.
Flow and pressure instruments associated with these systems should indicate zero flow and low or atmospheric pressure when the systems e.re in standby.
Because of electronics drift, the millivolt or milliamp signal equivalent to these zero ccaditions is not an absolute, fixed value.
In addition, some systems in standby actually develo) pressures slightly less than atmospheric or less than the calibrated static lead.
Because most SPDS systens use a fixed value as the zero range-check validetion point, when instrument output falls slightly below this vclue, the point is falsely indicated either as invalid er as a negative flow value. This problem has been eliminated by some system designers by lowering the range-check set point value slightly and by allowing a small range of near-zero values to be interpreted as zero.
Most SPDSs have at least a few problems with digital computer points (e.g.,
two-state signals, such as open-shut and on-off). The problem is manifested by displays that erroneously indicate open valves as being shut, running pumps as being off, etc. These problems are apstrently caused by the systems incorrectly interpreting the voltage at w11ch the input changes state.
Occasional problems are caused by wide range instruments being used as inputs to computer points having a very low setpoint for an alarm. A good example of this problem is the typical alarn associated with increasing containment ressure. These alarms are typically set at values from about 1.0 to 2.5 psig p(depending on reactor type). The control room alarm (annunciator) is usually driven by a narrow range pressure instrument with a typical range of - 5.0 to
+10.0 psig.
In many instances, these narrow-range instruments are not used as inputs to the SPDS; only wide-range instruments with ranges of -5.0 to +60.0 psig are input. The wide-range instruments often have the same full scale signal voltage change as do the narrow-range instruments. Therefore, a minor voltage change on the wide-range instrument may ecuate with a pressure change of 2 or 3 psig, thereby causing spurious pressure alarms on SPDS. When the wide range instrument is read in the control room, within the accuracy of the scale, it will eppear to be reading zero, while the SPDS computer point is swinging from -2.0 to +2.0 psig.
Some computer points fluctuate wildly because of signal lead ground loops and current drain problems. These problems appear on the non-1E side of the electrical isolators.
Errors in Averages and Other Processed Data SPDS computer points fall into two distinct categories: discrete and processed (or composed). Discrete computer poirts use a single analog or digital instrument as an input while processed points are computed within the SPDS computer or an associated computer using a combination of inputs from several sensors. Most SPDS systens perform a simple maximum-minimum range check to validate discrete points.
Composed points ccn have a variety of redundant 9
4 4
e g
s' is different as well. Therefore, many coolant system levels are measured with two sets of instruments:
one set calibrated for operating conditions and the other calibrcted for shutdown conditions. Measurements from these two sets of instruments should not be combined unless some adjustnent is made for the fact that they are calibrated for different coolant densities.
Inadequate Idcrtification of Data Quelity Itost SPDS systems use one of several techniques for indicating suspect or poor data points. These methods include color changes, backlighting, fleshing, characters such as asterisks (*****), and replacement of numerical data with superscript and subscript characters The following problems have been observed with these techniques:
Several SPDS systens reviewed allow CRT terninal operators to manually replace real input data with other values. This procedure was judged satisfactory if the inserted data could be somehow highlighted or designated as being an inserted value and if the number of personnel having system security codes j
c110 wing such action was limited and administrative 1y controlled.
However, on some SPDS systems the fact that data had been maruelly entered in place of real input data was not dettetable by any visual cue end could be done by anyone, without the knowledge of the operators, from any terminal attached to the host computer (in reme cases, from as far away as a corporate office located miles from the site).
In some cases, data which fails a validetion check is highlighted with the same visual cue as data points that have exceeded an elarm setpoint. Rapid discrimin-ation of visual cues is impossible when these cues have more than one meaning, i.e., "invelid data" and " parameter outside of normal range."
Removal of Data Points Known to Be Invalic Quite often some of the analog instruments used as inputs to the SPDS will be out of service because of hardware failure or surveillances in progress. Unless an SPDS has a very good validation scheme for each parameter, there is a need to be able to take computer points out of scan easily. On many systems, the process of taking failed points out of scan is quite easy. One process, for example, involves the completion of a short approval form ard a few keystrokes by system maintenance personnel. However, there are systems in which taking a point out of scan is nearly impossibic.
In some systems, the data points are coded in assembly language rather than l
being resident on a disc file or table.
In order to remove a point from scan, the computer system persornel must shut down the entire system and perform assembly language programming. Because this method is more complex, some failed computer points could still be resident in the system and indicate bed data for months after the problem with the instrument hus been corrected.
11
f 1
Some SPDS flow irdications are continuously invalid or incorrect during normal operations. This destroys the credibility of SPDS as a tool to be used and trusted to display plant safety information.
For example, during normal power or hot standby operation of the plant, numerous systems are not operating or are in a standby mode.
Examples of these systems include containment spray, euxiliary or emergency feedwater, safety injection systems, diesel generators, and wide range containment sump level monitors.
Flow and pressure instruments associated with these systems should indicate zero flow and low or atmospheric pressure when the systems are in standby.
Because of electronics drift, the millivolt or milliamp signal equivalent to these zero conditions is not an absolute, fixed value.
In addition, some systems in standby actually develo) pressures slightly less than atmospheric or less than the calibrated static lead.
Beciuse most SPDS systens use a fixed value as the zero range-check validetion poilt, when instrument output falls slightly below this value, the point is falsely indicated either as invalid or as a negative flow value. This problem ha been eliminated by some system designers t.y lowering the range-chec k set point value slightly and by allowing a small range of near-zero values to be interpreted as zero.
I Most SPDSs have at least a few problems with digital computer points (e.g.,
two-state signals, such as open-shut and on-off). The problem is manifested by displays that erroneously indicate open valves as being shut, running pumps as being off, etc. These aroblems are apssrently caused by the systems incorrectly interpreting tie voltage at w11ch the input changes state.
Occasional problems are caused by wide range instruments being used as inputs to computer points having a very low setpoint for an alarm. A good example of this problem is the typical alarm associated with increasing containment ressure. These alarms are typically set at values from about 1.0 to 2.5 psig p(depending on reactor type). Thecontrolroomalarm(annunciator)isusually driven by a narrow range pressure instrument with a typical range of - 5.0 to
+10.0 psig.
In many instances, these narrow-range instruments are not used as l
inputs to the SPDS; only wide-range instruments with ranges of -5.0 to +60.0 psig are input. The wide-range instruments often have the same full scale signal voltage change as do the narrow-range instruments. Therefore, a minor l
voltage change on the wide-range instrument may ecuate with a pressure change i
of 2 or 3 psig, thereby causing spurious pressure alarms on SPDS. When the wide range instrument is read in the control room, within the accuracy of the-scale, it will eppear to be reading zero, while the SPDS computer point is swinging from -2.0 to +?.0 psig.
L Some computer points fluctuate wildly because of signal lead ground loops and current drain problems. These problems appear on the non-1E side of the electrical isolators.
Errors in Averages and Other Processed Data SPDS computer points fall into two distinct categories: discrete and processed (or composed). Discrete computer poirts use a single analog or digital instrument as an input while processed points are computed within the SPDS computer or an associated computer using a combination of inputs from several I
sensors. Most SPDS systens perform a simple maximum-minimum range check to I
validate discrete points.
Composed points can have a variety of redundant l
9
4 sensor algorithms applied to enture their validity. Some SPDS systems use composed points, such as averages of several like sensors, but apply no valida-tien checks to these composed points beyond the simple range-checks applied to the discrete points. A simple exataple of a conposed and validated computer point is as follows:
Four reactor pressure instrunent inputs to er SPDS are first range-checked as di crete points. All of the inputs that pass the range check are then compared with each other. Those falling outside of a predetermined standard deviation of the average of the points are rejected.
The remaining points are then re-averaged to provide the composed and validcted point.
When adequate data validation technioues are not applied, SPDS performance suffers. Typical problems identified by the staff are described below.
Using a single, auctioneered highest core exit temperature (CET) as the input to an algorithm may cause the resultant value to be inaccurate if any single CET fails high.
Using the raw input from differential-pressure reactor vessel level l
instrumentation systems may cause erroneous level readings as the plant pressure and coolant pump combination change.
Using simpic averages of several, unvalidated loop temperatures and pressures causes the composed points to read in error when any one of the inputs fail.
Other problems arise when composed points, made up of inputs from more than one loop or section of a system, are used where a discrete or single loop point would be more appropriate:
Cases have been observed where a T-cold composed point, consisting of the average of the T-cold inputs froin all 4 loops of a PWR, was used in a pressurized thermal shock (PTS) detection algorithm. The Emergency Operating Procedures (EOP) and PTS limits were based on evaluating cach loop separately, with the coldest loop being of concern.
It a composed point is to be used in this algorithm, the auctioneered coldest value would be more appropriate.
The use of an average BWR suppression pool (SP) temperature as an input to an algorithm which is used to monitor for the hottest point in the SP is likewise, not appropriate.
The staff also noted cases where inappropriate parameters were used by composed point algorithms. An example is the composed point algorithm used to calculate reactor pressure vessel (RPV) level at several BWRs. At these plants, this algorithin averaged the readings of all level instruments without reJard for the conditions for which the instruments were calibrated. These level measurements were made using a differential pressure method. To determine level from a differential pressure measurcr:ent, the density of the fluid being measured must be known. Then level is the differential pressure divided by the density. Since the temperature of reactor coolant is much different during normal operation than it is during shutdown, coolant density 10
s' is different as well. Therefore, many coolant system levels are measured with two sets of instruments: one set calibrated for crerating conditions and the other calibrated for shutdown conditions. Measurements from these two sots of instruments should not be combined unless some adjustuent is made for the fact that they are calibrated for different coolant densities.
Inadequate 1dortification of Data Quelity 11 cst SPDS systems use one of several techniques for indicating suspect or poor data points. These methods include color Changes, backlighting, flashing, superscript and subscript characters, and replacement of numerical data with characterssuchasasterisks(*****). The following problems have been observed with these techniques:
Several SPDS systens reviewed allow CRT terninal operators to manually replace real input data with other values. This procedure was judged satisfactory if the inserted data could be somehow highlighted or designated as being an inserted value and if the number of personnel having system security codes allowing such action was limited and administrative 1y controlled.
However, on some SPDS systems the fect that data had been maruelly entered in place of real input data was not dettetable by any visual cue and could be done by anyone, without the knowledge of the operators, from any terminal attached to the host computer (in reme cases, from as far away as a corporate office located miles from the site).
In some cases, data which fails a validetion check is highlighted with the same visual cue as data points that have exceeded an elarm setpoint. Rapid discrimin-ation of visual cues is impossible when these cues have more than one meaning, i.e., "invelid data" and " parameter outside of normal range."
Removal of Data Points Known to Be Invalid Quite often some of the analog instruments used as inputs to the SPDS will be out of service because of hardware f ailure or surveillances in progress. Unless an SPDS hos a very good validation scheme for each parameter, there is a need to be able to take computer points out of sean easily. On many systems, the process of taking failed points out of scan is quite easy. One process, for example, involves the completion of a short approval form ard a few keystrokes by system maintenance personnel. However, there are systems in which taking a point out of scan is nearly impossible, in some systems, the data points are coded in assembly language rather than being. resident on a disc file or table.
In order to remove a point f rom scan, the computer system persornel must shut down the entire system and perform assembly language programming. Because this method is more complex, some failed computer points could still be resident in the system ano indicate bed data for months after the problem with the instrument has been corrected.
11
A few systems operate with the SPDS program on computer chips In order to take a point out-of-scan or to make any other modification to Lne system, new chipi; are required. This process can again tale several months, during which tine the system displays inaccurate data to the operators.
Algorithm Errors Some systens displayed inaccurate information, false alarms, or both because of problems with programming algorithms. This was complicated in a few cases, because the SPDS operators did not fully understand the algorithms that drive certain displays. Examples are provided below.
Some reactivity control algorithms that are intended to be anticipated-transient-without-scram (ATWS) indicators do not use any input from the reactor protection system or trip breakers. Because of this, the top level displays are continuously alarred falsely anytime reactor power is above about 3 to 5 percent. The alarms would work as ATWS indicators following a trip, but may be ignored by the operators since they have grown accustomed to seeing the felse alarm during normal plant operations.
One SPDS reviewed did not actuate any of the top level safety function alarm algorithms until after a trip occurred. The operators were unaware of this and believed the system to be very reliable since they had never observed any alarms during nornt.1 power operation.
Some PWR SPDS system algorithms use a makeup-(letdown flow mismatch to detect a leak or break in the reactor coolant system loss-of-coolant accident [LOCA]).
Because programmers did not take into account the portion of coolant diverted for RCS pump seals and for coolant lost via normal vinor identified leakage, the LOCA alarm was continuously illuminated.
Ill.A.3.b.
Reliability / Availability SPDS System " Lockups" and "Re-Boots" About 30 percent of the SPDS systems reviewed to date have demonstrated frequent system " lockups" under both normal and heavy usage. To be assured that such problems do not occur in an operational environment, systems could be tested at full expected loading, with all available terminals in use.
Once developed, a system load test procedure can be run at any time. The system could also be tested in conjunction with the annual emergency exercise or during a planned plant trip (scram).
The source of observed system lockups fall into about four categories and are somewhat equally distributed. These categories arc:
software problems in the graphics terminal (s) host computer software problems (in particular the display driver portions)
CPU communications bus data errors errors and lack of capecity on remote terminal communications links 12 i
4 s
Lockups are most frequently initiated by one of the following-reasons or activities:
Heavy system loading during nultiple terminal or peripheral use, such as occurs following a reactor trip.
The lack of display feedback messages such as " WAIT - PROCESSING" causes casual systems users to continue to input commands while systen is processing previous commands.
Lack of user training or complexity of commands causes keyboard entry errors resulting in system lockup. The problem of user training seems worse at sitor where the SPDS is served by the same host computer as the emergency response f acility (ERF) data systems. ERF users may only use the systems a few times per year.
These kinds of problems with system reliability and data validity reduce the credibility of the SPDS. The basis of the requirement for high reliability is the need for operators to believe data.
If they doubt the accuracy, the correctness, or the timeliness of data, operators will look elsewhere for information.
If this happens often enough, the operators will begin to ignore the SPDS because it increeses the data-gathering workload rather than decreasing it.
For the SPDS to be effective, it must aid operators in rapidly and reliably determining a plant's safety status. Those systems that the staff has found to be unacceptable do not provide such aid, and may, in fact, mislead or confuse operators.
III.A.4 Conditions When SPDS Should De Operational Of the 57 SPDSs evaluated, all adequotely satisfied the requirement to install an SPDS that is designed to operate during normal, ebnormal, and emergency conditions.
The staff's initial guidance (NUREG-0835, Draft Report; NUREG-0696) regarding the conditions under which an SPDS should be operational called for the SPDS to be available during all plant modes.
In Supplement 1 to NUREG-0737, the staff reduced the acceptable operating scope of the SPDS to " normal operations, abnormal and emergency conditions," i.e., all modes above cold shutdown. Some plants have also elected to include the cold shutdown and refueling mode as part of the SPDS' scope. The staff finds this to be a desirable extension of the SPDS scope of application.
Ill.B.
CONVENIENT LOCATION AND CONTINU0US DISPLAY Each operating reactor shall be provided with a Safety Parameter Display System that is located convenient to the control room operators. This system will continuously display information from which the plant safety status can be readily and reliably assessed by control room personnel who are responsible for the avoidance of degraded and damaged core events (NUREG-0737, Supplement 1,Section4.1.b).
13
O This requirenent contains two additional elements that were not discussed in the preceding section:
o convenient location o
continuous dispity.
III.B.1 Convenient Location The term " operator" is defined here in the broad sense of SPDS operator or user. The staff's only strict requirements with regard to convenience have been that the SPDS be in the centrol room and that it t'e convenient to the licensce defined user (s), e.g., reactor operators, tenior reactor operators, shift technical advisor, shift supervisor.
A corollary principle is that the SPDS should not interfere with control room cperations, c.g., interfere with physical or visual access to other control room instruments.
Only 17 units ftiled to satisfy this requirement. An extreme example was a SPDS CRT thtt was suspended from the ceiling of the control roem, too fat from the floor to be read by aryone in the control roem. This disp'ay was obvicusly not convenient to any user.
III.B.2 Continuous Display A continuous display is needed for an effcctive SPDS because it effords the operator almost irrediate access to the most important informatinn about plant safety. Acceptable SPDS systems had this information displayed continuously.
Operators did not need to search among various displays or page through irrele-vant information to get a current overview of plant safety status or to be aware that plant statur was changing. Plant sefety status information should always be displayed in the control room, not hidden among rows of instrurents or buried under "pages" of CRT displays. The staff nakes the distincticn that information that is " continuously available for display" is not the equivalent of a continuous displey.
Twenty-one of the 57 SPDS reviewed satisfied this requirement by either providing a dedicated, single display of plant variables, or by providing a hierarchy of display "pages" on a single CRT with perceptual cues to alert the user to changes in the safety status of the plant. The remainder were found to be unacceptable because they provided neither a continueus display of variables nor an alerting mechanism, such as safety function status indicators.
III.C isolation Fron Safety Sysicn.s and Procedures and Training The control room instrumtntation recuired (see General Design Criteria 13 and 19 of Appendix A to 10 CFR 50) provides the operators with the information necessary for safe reactor operation under normal, transient, and accident conditions. The SPDS is used ir. addition to the basic components end serves to aid and augment these components. Thus, rcquirements epplicable to control roon instrumentation are not needed for this augmentation 14
s s
(e.g., GDC 2, 3, 4 in Appendix A; 10 CFR Part 100; sir.gle-fe.ilurerequirements). The SPDS need not be qualified to meet Class 1E requirements. The SPDS shall b(. suitably isolated from electrical or electronic interference with equipment and sensors that are in use for safety systems.
The SPDS need not be seismically qualified, and additional seismically qualified indication is not required for the sole purpose of being a backup for SPDS. Procedures which describe the timely and correct refety status assessment when the SPDS is and is not availeble, will be developed by the licensee in parallel with the SPDS.
Furthermore, operators should be trained to respond to accident condi-tions both with and without the SPDS available (NUREC-0737, Supplement 1, Section 4.1.c)
This requirement contains two additional elements not yet discussed:
o isolation from safety systems o
procedures and training III.C.1 Isolation from Safety Systems In order to protect stfety systen.s from electrical and electronic interference, the SPDS must be isolated from equipment and sensors that are used in safety systems. Exampics of acceptable isolation devices and relevant test conditions are listed in Table 1.
The following table lists isolation devices used in the SPDS systems which have been reviewed and approved by the staff. As noted in the list, the maximum credible fault (MCF) testing varied from plant to plant even for the same isolators. Therefore, care must be taken to assure that in any future applica-tions of these devices, licensees verify that the plant-specific application does not exceed the captbility of the device. Most of the referenced reports and qualification tests are proprietary and are therefore unavailable for release from NRC. Other devices have been tested but must have the test results submitted to the NRC for review and approval.
Note: relays with contact-to-coil isolation beve been approved for several applications; s" stems utilizing fiber optic cable have not been required to perform maximum credible fault tests because of the inherent isolatinn charac-teristics of the cable.
15
Table 1.
Isolation Devices Manufacturer / Supplier Maximum Credible Fault Test and/or Applicable Topical Reports ACROMAG Series 700 MCF 120VAC915A MODEls 712-L,H; 722-TL-Y Analog Devices, Series 289 MCF 120VAC915A MCF 120VAC930A Computer Products Inc Optical fiber E-MAX, Digital and Analog MCF 120VAC920A Energy Inc; MODELs 156, 159, 1622,993 MCF 480VAC010A, MCF 120VAC920A, Analog 00798; MCF 140VDC010A Digital 01026-17 Fischer and Porter, 50EK1000 MCF 120VAC930A Foxboro, M 66B-C0 I/I, M 66G-0W E/I WCAP 7508-L Foxbero N-2A0-2VI, Spec 200 MCF 140VAC920A, MCF 140VDC020A GA Tech, RM-80 GA E-255-1333 General Electric Optical Fiber, NEDE 30284P, ERIS, GEMAC-550 MCF 120VAC020A GEMAC-550 Hewlett Packard MCF 120VAC930A Honeywell, HFM 5000-03 Optical Fiber INTRONIC 1A-184 MCF 120VAC930A Kaman Science Co.
MCF 120VAC030A Motorola Optical Fiber Potter Brunfield, MDR See GE-ERIS Reliance Electric Co, IS0 MATE MCF 120VAC930A, 125VDC070A Rochester Inst. Sys, 4400 SERIES MCF 140VDC05A, 120VAC020A MCF 24VDC03A, 130VAC050A MCF 140VDC#50A, 132VAC050A 16
Table 1.(cont.)
Manufacturer / Supplier Maximum Credible Fault Test and/or Applicable Topical Reports RIS SC-326 MCF 120VAC020A Robertshaw 572-02 MCF 120VAC020A Simmonds Precision MCF 120VAC020A Struthers Dunn Inc, CX-3016 NE HCF 132VDC0E00A, 528VAC02000A CX-3918 NE CX-3918 Qualified by Comparison with DX-3917 NE CX-3916 Technology For Energy Corp (TEC),
MCF 120VAC020A SYSTEM 2200, TEC 156 Analog MCF 130VAC050A TEC 159 Optical MCF 120VAC020A TEC 980 Analog MCF 120VAC020A TEC 981 Optical MCF 120VAC020A Validyne, MUX HC370AD-0Z Optical Fiber Westinghouse 7100 WCAP 7824, 7819 Westinghouse 7300 WCAP 8892A Westinghouse WCAP 7506-L, 9011, 7819 Nuclear Instrumentation System Westinghouse Core Cooling WCAP 10621 Monitor System Westinghouse RVLIS 1solator MCF 240VAC020A, 140VDC020A MODEL 2343063G02 Opto-Coupler Westinghouse,PSMS/ PERMS MCF 580VAC020A, MCF 250VDC020A 17
Ill.C.2 Procedures and Training In general, the requirement to develop procedures ard training 1or safety status assessment and accident response with or without SPDS was addressed by licensees and applicants in their upgrading prograras for emergency operating procedures (NUREG-0737, Item 1.C.1).
These programs introduced function-oriented procedures into the control room. The basic premise of the function-oriented concept is that critical safety functions should be censtantly monitored and maintained during an emergency response.
Inherent in the concept, therefore, is the delineation of tasks describing the timely and correct safety status assessment and accident response. Most plants do not specify in the emergency procedures which instruments to use for accident response.
Some plants include notes and cautions in their procedures to limit the use cf certain instruments, including SFDS, during tcrtain transients and accidents.
Twenty-one units acceotably satisfied the requirement to provide procedures and training for safety status assessment cod accident response with or without SPDS. They did so by (1) providing upgraded emergencv crerating procedures (EOPs) that contain safety status assessment tasks,
('2) trainin to use SPDS (e.g., during simulator or requalification trainirg)g operators how
, (3) training operators how to carry out accident responses both with and without SPDS, and (4) providing an SPDS users' manual in the control room for easy reference.
The remaining plants did not acceptably satisfy this requirement. At many plants training deficiencies were identified during operator interviews and SPDS demonstrations when SPDS-trained users made obvious errors and showed confusion or misunderstarding. These deficiencies were of sufficient nagnitude to diminish the effectiveness of the SPDS or to increase the potential for operator error.
For example, at one plant a primary user of the SPDS believed that a certain color code denoted that there were not enough vclid inputs to ascertein the status of a safety function.
In fact, the meaning of the color code in this system was " critical safety function in jeopardy." The failure of users to understand such basic SPDS functions and operation provided prinary evidence of poor or infrequent training. No system was found unacceptable based on the performance or the assertions of only one user--evidence was confirmed through multiple interviewees / users and through a review of the details of the training progran itself.
Deficiencies were found at a few units because the licensee did not provide an SPDS users' manual in the control room. These were plants in which interviewees /
users showed some confusion concerning operation of the SPDS that could have been resolved if an easy-to-use reference manual had been available in or nect the control room.
The requirement for having procedures and training for accident response both with and without SPDS evolved from the staft's concern that, because of the SPDS's convenience end usefulness, operators could become over-reliant on the SPDS. The SPDS is intended as an aid to epcrators, to be used ir eddition to existing control room instrumentation, and should, generally, not be used in place of existing instrunentation. An excepticn is when the SPDS displeys processed information that is not available elsewhere -- in any case, operators should not take actior based on the SPDS alone.
18
Ill.D.
SELECT 10ll 0F INFORPATION FOR DISPLAY There is a wide range of useful inf ormation that can be provided by various SPDS. This information is reflected in such staff documents as MUREG-0690, NUREG-0835, and Regulatory Guide 1.97.
Prompt implemente. tion of an SPDS can provide an important contribution to plant safety. The selection of specific information that should be provided for a particular plant shall be based on engineering judgment of individual plant licensees, taking into account the importance of prompt implementation (NUREG-0737, Supplement 1, Section 4.1.d.)
This requirement includes two essential einents:
o selection of information for display o
prompt implementation.
111.0.1 Selection of Information for Display As indicated in Supplement 1 to NUREG-0737, licensees should define the content of SPDS displays. Two restrictions to this general principle were applied:
(1) the minimum acceptable set of information must be sufficient to represent the status of plant safety functions (this iten is discussed in detail in Section Ill.F below), and (2) the information set rust not be so large that meaningfulness, accessibility, or other human factors are negatively affected.
Most plants acceptably satisfied this requirement by providing evidence that the design of the content of SPDS displays was reascnable, systematic, and based on credible analyses. Typically, acceptable programs included the following elements:
o a definition of system requirements and the needs of defined users o
coordination with tasks identified in the systems / task analysis performed during the development of upgraded E0Ps and/or performance of the detailed control room design review (DCRDR) o censideration of any new instrunentation needs identified during the implementation of Regulatory Guide 1.97 o
coordination with the content of training prograus o
consideration of user preferences.
Seventeen SPDS designs were judged unacceptable because of the information that was selected for display. The most common deficiency was omissions in the infornation set, i.e., insufficient informetion to adequatoly represent plant safety status (see III.F below for further details). A few suffered from the opposite problen--information overload. These latter systems provided too much information in relation to the presentation format, e.g., too many variables on a single primary display led to readability problems, or too many "pages" of information with a poorly designed access system caused operators te become " lost" in a maze of irrelevant displays.
19
The basic intent that underlies this requirement is that licensees are best qualified to judge what critical information needs to be gathered together into the concise display called SFDS. However, the staff defined the basic plant safety functions that should be represented in a mininelly effective SPDS.
!!!.D.2 Prompt implementation Thus far, the staff has not rejected any reasonable implementation schedule for SPDS.
In order to allew licensees to im>1ement promptly, the staff's review and approval process was not placed in tie criticc1 path.
Unless requested to do so by the licensee, the staff does not review and approve an SPDS prior to its implementation. The staff has given as ruch early guidance as possible to The staff has also attempted to expedite the imp _st-implementation evaluation.
licenstes, but the SPDS review is generally c go lementation process by relaxing some of its earlier positions on SPDS.
For exaniple, the requirement for Class IE qualification or a Class 1E backup was deleted in f avor of simply requiring a highly reliable system. Also, the staff't review regarding selection of parameters was tempered by the consideration that the staff would not require additional information that would necessitate the installation of new sensors and instrumentation loops, but rather would limit its requirements to existibg instrumentation.
In these end other ways, the staff has tried to accommodate licensees in the prompt implementation of SPDS.
Although no plant has specifically been cited for delays in implementation, the record of the industry is not good on this point. By the staff's estimate, approximately 75 percent of all plants still do not have a fully operational SPDS in their control rooms, more than 5 years after the issuance of Generic Letter 82-33 which called for prompt implementation of SPDS.
111.E HUMAN FACTORS AND SPDS DISPLAYS The SPDS display shall be designed to incorporate accepted hunan factors principles so that the displayed information can be readily perceived and comprehended by SPDS users (HUREG-0737, Supplement 1,Section4.1.e).
This requirement is rooted in the human factors problems that contributed to the accident at THI-2. The staff, through this requirement enphasized the need to incorporate good human factors principles in the design of equ Q ment rather than attempting to backfit the arinciples in a superficial way. Properly designed systems incorporated tie needs ard limitations of users into the design from the very start of the design process. This resulted in systems that do the job, are easy to use and understand, do not cause confusion, frustration, or errors, end that users can rely on when making critical decisions during an emergency.
Of the 57 units reviewed, only 12 have fully satisfied this requirement. Staff review of this requirement included an evaluation of the design process and portions of the verification and validation (V&V) program, as well as an audit of the SPDS displays, interfaces, and environment.
20 m
j 4
Plants that satisfied the requirement to incorporate human factors principles into their SPDS desi p did 50 by providing evidence that user needs were identified during the initial design pbtses, that specifications and acceptance criteria for optimizing the display and control interfaces were established, that cperators were involved in the design arocess either as menters of the design team or as reviewers, and that the YaV progran included appropriate human factors reviews and " man-in-the-loep* testing. The effectiveness of these programmatic efforts was confirmed by the staff through an audit of the SPDS in its operating environment. Those systems that were found to have few and minor human factort discrepancies satisfied this requirement. Cuidance and information in this area can be found in NUREG-0700, " Guidelines for Control Room Design Reviews", (Ref. 10) and NUREG-0800, Chapter 18.? " Standard Review Plan, Safety Parameter Display System; Appendix A-Human Factors Review Guidelines for Safety Parameter Display System," (Ref. 6).
Systems found unaccepteble regarding this requirement often suffered from deficiencies in the SPDS interface that were not the result of random over-sight. These systems lacked proper design input from human factors specialists and operators. Standards, specifications, and acceptante criteria for human fectors considerations, such as systen response time, operator feedback, control room standards and conventions, and operator preferences were generally not established and, therefore, not incorporated into the design. More often then not, these systems were not subjected to " man-in-the-loop" testing and operator ecceptance was poor.
Numerical magnitudes of SPDS parancters and time-history plots should be displayed to resolutions useable by the operator. One time-history plot the staff reviewed could resolve data only to a value equivalent to the height of a CRT character resulting in very poor trer.d plot resolution. For example, reactor pressure vessel (RPV) pressure could only be resolved to 125 psi from the trend plot. Thus, one to 125 psi eppeared as 125 psi, and 126 psi appeared as 250 psi.
Another case was reviewed in which the ordinate divisions of all trend plots were established automatically by dividing the full range by three. Thus, percentage plots appeared as 0, 33.33, 66.67, 1001. An Auxiliery Fe6Sater system (AFW) flow plot appeared as 0, 3333.32, 1.67E+05, 2.50E405 gallons per hour. Not only is it difficult to estimate volume between the major graduations but the two decimal point accuracy just adds useless visual " noise" to the display.
Ill F.
MINIMUM PLANT PARAMETERS FOR DISPLAY The minimum information to be provided shall be sufficient to provide information te plant operators about:
(i)
Reactivity Control (ii)
Reactor Core Cooling and Heat Removal from the Primary System iii)
Reactor Coolant System Integrity i)
Radioactivity Control v
Cor.tainment Conditions 21
i The specific pereneters to be displaycd shall be determined by the licensee (NVP.EG-0737, Supplement 1, Section 4.1.f).
Of the 57 units reviewed, 25 were found to have a sufficient set of SPDS parameters to monitor the five defined safety functions.
The t6bles that follow show sample varieble sets for PWRs and BWRt which have been fourd accepteble.
While the samples illustrate sets of variables which have been found acceptable, SPDS systens contain inputs from many additional variables. There have also been numerous elternatives and substitute variables approved for SPDS systems.
Staff evaluations of the parameters selected for SPDS systems have been cerducted on a plant-specific basis, and take inte consideration plant desion, Emergency Operating Procedures (EOPs), Emergency Plan Implementing Procedures (EPIPs), and status of HRC approval of R.G. 1.97 variables.
Examples are provided below for some of the more frecuently approved alternatives to the sample variables.
Pressurized Water Reactors Hotlegtemperature(T-hot)isincludedinTable2asanacceptableparareter because, when combined with other variables, it provides an ir.dication of the viability of natural circulatier.
Other variables that acceptably satisfy the same functional requirement are:
locp delta temperature, core exit tenperature and T-average.
core cooling system (ECCS) recirculation flow (e.g., residual heat Emergency (RHR) or decay heat removal (DHR) systen, flow) is desirable as an removal indication of removal of heat from the primary ccclant system and containment.
Where RHR (DHR) flow was not available, combinations of the following pera-reters base been approved: RHR (DHR) pump run status, delta T across P.HR (DHR) heat exchangers, delta T across service water systens supplying the RHR heat exchangers, and RHR (DHR) service water syt, tem flow. The combination must be edcquate to monitor, with a degree of confidence, the adequacy of heat reroyal from the primary syttem when the steam generators are not availabic for this purpose.
Containment sump level is a detirable indicator for the onset of a coolant system leak or breale, in the absence of sump lesel, paranteters such es the following have been approved: sump high level alarm, sump punp run time, surp pump flow totalin r, sump pum: run status.
In order to be satisf actory, the typet of substitutes listed siould have an alarm function on the top level display (e.g., excessive sump pump run time).
22
Table 2.
Safety Paranters for Pressurized Water Reactors t
Safety Fur:ction Representative Parameters for Display
- 1. Reactivity control Power range instrumentation Interndiate range instrumentation Source range instrumentation
- 2. Reacter core cooling and heat RCS level renoval from the primary Subcooling trargin systeer Hot leg temperature Cold leg temperature Core exit temperature Steam generator pressure RHR(DHR) flow
- 3. Reactor coolant system RCS pressure integrity Cold leg temperature Containment sump level Steam generator oressurc Steam generator level Steam generator blowdown radiation
- 4. Radioactivity control All effluent stack nonitors Steanline radiation Containment radiation
- 5. Containment cerditions Contat:iment pressure Cantainment isolation status 23
Table 3. Safety Pararieters for Boiling Water Reactors Safety function Representative Parameters for Display
- 1. Reactivity control Average power range mcnitors Source range monitors
- 2. Reactor core cooling and heat RPV water icvel removal from the primary Drywell temperature system
- 3. Reactor coolant system RPV pressure integrity
- 4. Radioactivity control All effluent stack monitors Offgas monitor Containment radiation monitor
- 5. Containment conditions Drywell pressure Drywell temperature Suppression pool temperature Suppression pool icyc1 Containment isolation status Drywell hydrogen concentration Drywell oxygen concentration I
24
a The radioactivity control refety, function of SPDS shculd include all major monitored efflucrt pathways points (stacts and vents) which arc potential release soints for fuel gap activity. Separate ventilation exhtests for areas such as 1ot machine shops and redwaste need not be included. Computed releast rates (Ci/sec, UCi/sec, etc.) are the desirable SPDS top level variable, but release concentrations and raw monitor readings (CPH, MR/HR, etc.) are acceptable (i.e., not using a flow rate input).
Because the main steam linc (or steam generator) radiation monitors on PWRs are usuc11y located upstream of the main steem isolation valves (PSIVS), they can be used both to assess radioactivity within the secondary system when the MSIVs are closcd, and to monitor releases to the environment through the atmospheric dump and safety valves.
In a f w cases main steam line monitoring was not available.
In those cases the riaff accepted less preferred methods of satisfying this aspect of thc radioactivity control stfety function.
Containment hydrogen concentration is also a desirabic pcrameter for SPDS.
proved an off-line Ilowever, in the rare instr.nces where llRC has previously ap(SER) under Regulatory hydrogen monitoring system in a safety evaluatior. report Guide 1.97 review, the SPDS reviewers have found these systems acceptable for SPDS use.
Boiling Water Reactors Guidance for the input of radioactive material effluent points are essentially the same for BWRs as thost discusseo above for PWRs.
CWRs that have incorporated a secondary containacrt control guideline in their E0Ps frequently use several reactor building area radiation monitors (AFMs) and process radiation monitors (PRMs) as inputs to the SPDS top level disp (lays. containment).
These inputs provide early indication of problems outside the drywell Because BWR safety relief valves (SRVs) exit the main steem lines upstream of the MSIVs and the MSL radiation monitors, and because they discharge to the suppression pool or torus, BWR 11SL radiation incritors are a desirable, but not mandatory, input to SPDS.
Drywell (containment) hydrogen and oxygen concentrations are both desirable inputs to the SPDS. However, with most BWR drywells now being rendered inert with nitrogen, oxygen concentration becomes the more important parameter, therefore, in some cases, BWRs rith inert drywells are not required to use hydrogen concentration as an input to Srps, but are required to use oxygen concentration.
A close review of Tables 2 and 3 reveals that intermediate range nuclear instrurentation (NIs) is listtd for PWRs, but not for BWRs. A staff survey of licensee computer systens input, showed that 61 percent of the reactor sites had not included intermediate range instrumentatior en their computer systent. The i
intermediate range parameter is desirable, but the difficulty of programming the rarse switch position input to create a sacaningful parameter overrides the bene-fit of using the intermediate range. Only 2 or 3 reactor sites have a computer l
systen which het been programmed to make real use of intermediate range NI cata.
1
- r l
l 25
l PWRs and BWRs One desirable mtthod for nonitoring containment or drywell iscletion valve status is to employ cr. algorithm which uses both the isolation demand signals and the valve position indications. This allows a rapid assessrient of both the demand for en isolaticn and the successful con.pletion of valve re-alignment. For some SPDS systems, where only the irolation demand sigacis have been used, hPC has approved the systen it contairrient isolation valve position is readily available to the SPDS eperator on a r.earby control board.
The use of control board indication to supplement SPDS in this case has only been approved where the control teard dispicy was in a the c'irect field of view nf the SPDS operator, wat confined to one area of the control bcard, and whtre rtatus could be deternined at a 9 6nce. Some licensees have rewired itolation 1
status metrices to make ell of the status lights (including spare tiles) eperate together (e.g., gli lighted) upon a successful isolation, thereby providing the necessary visual conciseness, lhe sample parameter list shows only nuclear instrument (HI) computer points under the reactivity control safety f unction.
Although some licensees heve used only his in their reactivity control al erithms, mest have used other t
inputs such as scram (or trip) breator position, reactor prctection system (RPS) trip status, rod position indication, and coolant boration level in addition to the Nls, to create an algorithm which serves as both an ATWS indicator end a loss of shutdown margin indicator. Only HI inputs are required, but the greater sophistication of using additionel inputs is a desirable enhanconent.
There have been a f ew other plant-tpecific epprovals of ccceptabic substitutes and omissions of parameters, but the examples provided above cover the most conmon Cases.
The staff has found that the !PDS parancter selectico was inadequate at 29 units. The most cornon reason was the omission of veri 6bles representing the heat removal, radioactivity control, and containment conditions tafety functions, e.g. containment isolation status,) radiation variables, containment hydrogen and oxygen concontration, and RHR (DHR flow.
Sections Ill F.1 and ll!.F.2 below provide a summary of the rationale used by the staff in rest reviews to deteruine what variables constituted a sufficient set of SPDS parauctors. The variables are described in tabular form in Tables 2 and 3.
As the basis to c'etermine what set of SPDs parameters were ader,uete, the staff considered the emergency procedures guidance developed by cwners' groups and vendors, es well as other industry guidance documents, such as
- Guidelines for an Effective Safety parameter Display Systen Implementation Pregram" (Ref.11) and NSAC/21, "Funcamental St.fety Parameter Set for toiling Kdter Reactors" (Ref. 12).
Ill.F.1 Acceptable Parameters for PWRs Ill.F.1.a.
Rcactivity Contrn1 The rate of change in neutron production (neutron flux) is a fundamental neutronics parametcr for asstssing the stetus of plant Peactivity control.
26
e Neutrcn flux can be directly renitored by centrol roon instrumentetion for the entire range (0-100f+) of reactor power.
In a PWR, this range is typically represented with three monitors: the source range monitor, the intermediate rance monitor, and the power rance nenitor.
Other parameters (e.g., red-in positicn indicaters, reactor trip indicators, borononeters) may provide useful information; however, they are irss direct indicators of the overall status of the reactivity control function in that they may provide information that is inconclusive or possibly misleading.
III.F.1.b. Core Cooling and Heat Removal There is no one measured parametcr that directly indicates the status of the core cooling and heat rereval safety function.
Instead, sevcrel indicators are cited which when used in con,iunction, do provide a strong inference of the status of core cooling removal 1or the breed spectrum of scenariot and conditions.
The first of these paraneters is subcooling. During subcooled htet removal, this varieble providcs a direct verification of the vitt.ility of core cooling as well as some quantification of the core cooling norgin.
Subcooling is used in the emergency guidelines as a key criterion to deternine the status of the core cooling function, g level is to indicator of primary system inventory, c necessary heat transfer medium f or core cooling and heat removal.
It is used in the guidelines to monitor for an inadequate core cooling (ICC) condition.
Core exit temperature is an important iridicator because it is used to determine the viability of the natural cireplation mode of heat renoval. Together with RCS pressure, core exit temperature is also an input to the subcooling monitcr.
Core exit tenperature is a Ley parameter used in emercency guidtlines to nor.itor for the ertet of ICC conditions. Het leg temperature and reld lec temperature are key indicators used in determining the viability of natural circulation as a rede of heat removal. For certain subcooled conditions, these parameters may indicate natural circulation status when ccre exit tenperature may not.
In this case, the hot and cold leg terpcratures would be relir.d upon to ensure adequate natural circulation (per WR guidelines). Steam generator level is an indicator of thc cveilability and proper control of the secondary system heat sink for the heat removal critical safety function. SG pressure is a key indicator of the vitbilit Steam generater tor steamline) y and integrity of the secondary system.
pressure is also an indictter used in cuergency onieelines to octermine the viability of natural circulation es a mode of heat renovcl(notapplicabletocombustionengineering(CE) plants). RPR(DHR) flow is a key indicator to deternine the vitbility of the heat remcyc1 system used when the secordary system is not the Principal heat removing system (i.e., large LOCA, ECCS; normal shutdown RHR). Otler parameters may be considered, such as RCS average temperr.ture and fecowater flov. These parameters, however, are not considered as versatile over a spectrun of plant conditions, es direct an indication of status of the f unction being monitored, and/or necessary since the partneters suggested above provide the same rapid functional information.
H
III.F.1.c. PCS Integrity Perhaps the single most informative parameter to be monitored in a PWR is RCS pressure.
Its RCS integrity epplications are:
(1) it is a principal indicator of RCS integrity, and (2) it is a ley parameter used for brittle fracture considerations.
In conjunction with RCS pressure, cold icg temperature is also e key parameter for brittle fracture considerations. Containment sump level is a key indicator to identify a LOCA-type breach of RCS integrity, perticularly for smaller leaks during which RCS pressure may not be changing.
It also is an indicator of thc vitbility of the ECCS recirculation inode of heat removal.
Steam generator str.tus (some combination of pressure, level, radiation) is a key (and usually the most rapid) indicator of a steam generator tube ruture type breach of RCS integrity.
Parameters contributing to this status indication are also propcsed as key monitors of other critical safety functions.
Ill.f.1.d.
Radioactivity Control Three variabits are generally cons % red acceptable for the monitoring cf radio-activity control for SFDS: stack monitors, steamline ronitor_s, and containment ronitors. These tnree inonitors. allow a rapid assessment of radiation status for the most likely radioactive release paths.
For PWRs, radiation can be releesed directly to the atmosphere through two paths. One is through stacks, which are inonitored by stack monitors, ard the other is through the mair steam safety valves, which is monitored by the steam line monitor. The stack monitors are normally used during peuer operation to tocasure fission products (such as iodine, cesium and the noble gases), which may be vented to the atmosphere. These monitors will also mcasure the radia-tion released to the atnosphere during an accident if the containment in not isolated.
The stean line monitor also measures radiation releaset to the atmosphere when the main steam safety valves are open curing plant transients and on turbine trip. The steam line ronitor is also important in measuring the radioactivity on the secondery side during a steam gencrator tubc rupture if it is located upstrean of the atnospheric dump valves and safety valves.
The containment monitor is essential for swasuring the radioactivity in the containment atmosphere, especially kben the containment it isolated following an accident.
If for ar(y reason containment inteority is breached, an estinate of the off site doses can be made basco on conte.inment radiation readings. The monitor can also provide an indicator of the amount of fuel damage to the j
reactor core.
I Other available radiation monitors may be used hut are not considered essential to STDS. These secondary considerations include vital control area monitors, l
such as the control room, to which access nay be necesscry af ter an accident.
Monitoring primary coolant radioactivity levels is presently performed by sampling and analyris in the sanpling room. The continuous activity ironitors l
s'
1 presently evailable are of limitu value because of their isolation on contain-ment isolation signal. Although Mhe post-accident sampling system eventually
]
provides a representative sample for evaluation, direct, continuous monitoring is not presently part of the SPDS cesign.
Such a new PWR design requirement is considered outside the scope of the current SPDS review.
Ill.F.1.e.
Centainment Conditions The following three key parameters should be monitored by the SPDS to provide a rapid assessment of containment conditions:
Containment pressure.
Containment isolation, and Containment hydrogen concentrr. tion.
Containment pressure is a direct indicction that containment integrity may be ihreatened by overpressurization. Also, as the containment pressure increases, it provides the driving force that can cause the containment environment to esccpe to the atmosphere through leaks in the containment structure.
For the more likely accident scenaries that cause the containment pressure to increase, the containment envirorment is at saturated conditions. Hence, if the conteinment pressure is known, the containment temperature can be determircd:
therefore, it would not be necessary te measure containment temperature.
For the few less probable accident scenarios in which the containment pressure increases but the containment environment is superheated, the superheated conditions only exist until the conteir. ment s) rays are activated (shortly af ter the start of the accident).
Because of the s1 ort period during the containment envirer. ment is strperheated, there is little need to know the amount of superheat in the containacrt environment by monitoring the containment temperature.
Equally important, generic emergency technical guidelines do not require operator actions baseduponarapidassessmentofcontainmentsup,erheating.
A primary function of the containmcnt is to prevent release of radioactive gases and particuletes to the environment. By monitoring the demand signal and actual status of all isolation valves, there is assurance that when demanded, the known process systems pathways penetrating certainment have been secured. Also, by monitoring the status of all isolatien valves, the containment purge and/or vent system's sup)ly and exhaust line selves will also be monitored. Hence, a separate display of tie status of these valves on the SPDS is not a requirement.
Containment hydrogen concentration is a key parameter te monitor for containment combustible gas control.
For sore accident scenarios, hydrogen can be produced and released to the containment. Combustion of large amounts of such hydrogen has the potential for ceusing the containment structure to fail.
The monitoring of the oxygen concentration is not necessary for large dry containments since these containments have an oxygen-rich atmosphere during normal operations, w
?g a
.f Ill.F.2 Accepttble Paranters for BWPs Ill.F.P.a.
Reactivity Control The rate of change in neutron production (neutron flux) is a fundamental neutronics parameter for monitoring the status of the plant reactivity control.
The average power range nonitors (t.PPMs) and source source range monitort (SRMs1 represent the principel SPD5 neutron flux indic6 tors for reactivity control. I.PRMs calculate the neutron flux and provide 6 single power level representing the average value for all core regions. The plant Technical Specifications require the APRM to be optrable durirg all modes of operatior except cold shutdown. SRMs are necessary to monitor the reactivity status during shutdown and startup.
Other parancters considered for rer.ctivity control were control rod position or control rod status lights (*all in").
Control rod positicn indication is useful but of limited value since an indication cf partial insertion wculd leave the power level indetermirate.
For some plants, identification of the control rod intertion icvel is an involved procedure requirirp the use of a computer consolc to call up rod bank positions. One specific exception to this is er SPDS which incorptrates a scram event status terget light on the SPDS display. This was reviewed and accepted by the staff as a substitute for the SRMs based on the condition that the scram status is continuously monitored and receives input from the SRP.s.
Boiling water reactors presently use a stondby liquid centrol system (SLCS) tc inject boron into the reactor coolant systtm.
Its purpose is to shut down the reactor and maintain shutdown in the ev(nt the control rod drive system is inoperable.
Unlike PWRs, BWRs de not contain boron under nero,a1 operating conditiont, and boronometers are not part of the BWR desigt.
The injection of boron would be sufficiently identified through the AFRM instrumentation aircady part of the SPDS. Since boronon,eter instrumentation is not part of the BWR design, we censider such a new design requirement to be outride the scope of SPDS reviews.
lII.F.2.b.
Core Cooling and Heat Removal The prinary pararcter for indicating of core cooling is reactor pressure vessel water level. General Litetric (GE) analyses show that it is unlikely
- Also, that fuel damage will occur as long(as the core is two-thirds covered.
the Emergency Procedure Guidelines EPG) are Leyed to important operator acticos at various water levels. A knowledge of total core flow, although useful information, is not considered an essential parameter for a rapid assessment of core cooling and heat rereval safety function since an adequate water level is sufficient for this purpose. Also, the EPGs do not address core flow as a key indicator, which is consist (nt with this conclusion.
Heat removal monitoring)under conditions other than crergency corditionsis previded by va (e.g., shutdown cooling cooling mode of the residual heat removal system (RHR). Also, for containownt cooling and low pressure coolant injection (LPCI) modes et the RHR, water is circulated from the suppression pool through the RHP heat exchangers to the spray 1
30
.f heacers and the reactor pressure vessel back to the suppression pool.
Since the i
suppression pool provides a heat sink when the pr.in condenser is isolated, the suppression pool temperatures and water level should be monitored to indicate the status of heat removal captbility.
Consideration was oiven to the status of the core spray systen flew as a parameter for the heat removal safety function. Either the low pressute spray system or hiah pressure spray system are capable of automatically providing adequate core cooling to prevent fuel damage. However, since the EPGs have keyed operator actions to vessel water level (such actions as verification of system actuation), it is water level that still remains the essentici core cooling indicator. Although ECCS injcetion status is important as follow-up verification of a response to a rapid initial determination of inadequate water level, the first assersment of a potential core cooling problem through water level serves the purpose of SFDS.
Ill F.P.c.
Pressure Vessel Integrity Peactor pressure vessel pressure is a fundamental parameter for monitnring reactor coolant system integrity since a sudden decrease could be indicative of a breach of the coolcnt system.
Increasing reactor pressure could indicate a lett of adequate heat rerevt.1, and a subsequent cht11enge to RCS integrity.
.(Drywell Pressure is considered of secondary interest relctive to vessel integrity:
an increase in drywell pressure results f rom a ecolant system break.
However, since drywell pressure is e fundamental parameter for containment integrity, it was included as part of the SPDS.)
lll.F l.d.
Radioactivity Certrol Three radioactivity monitors are considered essential for the radioactivity control safety function. The station vent stack monitor is important since it measures noble gas radiatier and allows for decay of the short-lived nitrogen 16 isotope. The vent stack releese rate is also an important parameter used in the generic [PCs. A c_ontainn.ent activity monitor is essential since it provides the status under containment isolatien conditions (station vent stack monitor is unavaileble).
An oft-gas post-treatment offluent nonitor also measures nobic gas activity and is considered essential if it represents a separate effluent point from the station vent stack monitor.
Like the station vent stack monitor, it is not continuously available following containment isolation.
Other useful monitors may be proposed but are not considcred essential for SPDS. The monitors trlected should measure delayed activity to avoid H-16 interference (7-sec half life). The performance cf ionization.;hambers nakes them least preferred for this application; therefore, the HVAC (exhaust) monitors are net considered essential for SPDS. The nain stean line monitor is a gansu ion chamber which measures N-16 and is not considered essential for l
l SPDS The stancby gas treatnent monitor, located between the HVAC monitors erd the plant stack vent, is considered a secondary paramete' (not essential for SPDS). Monitoring the radioactivity reator vessel watcr level is presently performed by sampline from the retirculatier rystem loops and analysis in the semple room. The continecus sampling system activity monitors presently used are not useful following isolation. Although the post-accident scmpling system eventually provides a representative semple for evaluation, direct, continuous monitoring is not presently part of the SPDS design.
Such a new BWR cesign requirement is censidered cutside the scope of the current SPDF review.
?!
Ill.F.2.e. Containment Conditions Several essential pararreters are fundamental to the containment conditions safety function. Drywell pressure is considered a primary variable for status indication since a rise in crywell pressure eventually results in a reactor trip and is the primary threat to containment integrity. Other primary variables related to containracrt integrity are monitored to determine the status of the suppression pool heat absorption cepbility and containment environmental conditiens. These are drywell ternperature, suppression pool teroperature, suppression 3001 water level, and containment ternerature (Mark III only).
In addition, lydrogen* and oxygen r*,nitors should ae included on the SPDS to rrcnitor the potential for hydrogen aeflagration.
Containment isolation valve status is also a primary indicator of a potential release path, provides necessery assurance that these paths are closed, and is therefore considered essentiel for SPDS parameter display.
IV. DEFINITICH OF AN OPERATIONAL SPDS In the staff's past reviews, controversy has cccasionally a:isen over the staff's interpretation of orders or license conditions that require the licensee or applicant to have a fully operational /crerable/ operating / functional SPDS in-ttalled in the control roen by a certain, negotiated date. Although different terms were used to define the concept of operchility, the staff's intent is that the control room be provided with a sefety parameter display as required by Supplement 1 to NUREG-0737. The staff has cor sidered an SPDS operational, if it is described as follows:
Has been fully' tested, installed, accepted, cod turned over to plant operations for use.
provided the defined function of SPDS, i.e.,
display the mininum i
information sufficient to allow operaters to assess plant safety status; specifically, display sufficient information to monitor the five safety functions defined in Supplement I to NUREG-0737.
Provided valid, reliable infornation in a continuous display.
Functions as a system that includes cicarly written procedures for its use and operators that have been fully trained to operate 6nd interpret its displays.
The staff discovered several SFDSs that had been decir. red operational, but were in fact, so unrelichle that operators would not or could not use them.
Cenerally, these systens were not fully tested and were undergoing significtnt de-bugging and modification. These systems also exhit,ited chronic system-wide or foretional failures, often without adequate wt.rning to alert operators that the SPDS displays were invalid, inaccurate, or outdated.
These problems were compounded by lack of adequate operator training regardino SPDS.
r.ot necessary for inerted containments i
+
32 e
~
e The stafi's practice to deternitie whether cr SPDS is operational has been that, if operators cannot routinely use the SPDS to determine the status of all five safety functions, for whatever reason, it is not operational.
For example, if tFtre is not enough valid information being displayed (as defined by the or more of the safety functions (parameters) to allow cperators to arsess one licensee's list of approved SPDS as (tfined in Supplement I to NUREG-0737, Section 4.1.f), the SPDS is not operational.
Unreliable hardware and sof tware, ard lack of adequate training are common reasons that SPDSs do not function pro >erly even after bcing declared operatiorel.
The staff practice genert11y has rot cla11enged licensees' claims that their SFDS is operational unless the SPDS has chronic reliability problems, the opera-tors are poorly trained or not trained at all, and the SPDS is providing invalid information for significant periods of titre (i.e., loriger than necessary for normal maintenance or sof tware programing work orders to be executed).
In summary, the staff finds acceptable an SPDS that fully provides its required tunction as evidenced by the et'ility of operators to determine the status of all five safety functions identified in Supplement 1 to NUREG-0737.
V.
SUMMAP]
The staft has provided exarrples of SPDS features end characteristics that acceptably satisfy the requirements for an SPDS. Definitions, assumptions, and general prirciples that are basic to staft practice during evaluations of SPDS were also provided. This discussion shculd clarify some of the cenfusion that surrounds implementation of the requirenrnts for the SPDS, and provide a common concepttel framework for the post-irnplementation reviews, audits, and inspections that lie ahead. The SPDS is an important itiitiative in the industry's effort to irrprove emergency respense. The purpose of this report is to communicate to the industry acceptable ways of implementing the SPDS require-ments so that deficient systems may be improved as necessery, that systems still under development may be optimized, and that the regulatory review process may be streamlined by providing licensees with sufficient infernation to forewarn them of likely problem areas.
l 33
__.-__.--____----.m-
-_=:a.
O s,
REFERENCES 1.
U.S. Nuclear Regulatory Comission, "NRC Action Plan Developed as a Result of the TM1-2 Accident," NUREG-0660. Vols. I and 2, May 1980.
2.
U.S. Nuclear Regulatory Comission, " Clarification of TM1 Action Plan Requirements," NUREG-0737, November 1980.
3.
U.S. Nuclear Regulatory Comission, " Functional Criteria for Emergency Response Facilities," NUREG-0696, Decenber 1980.
4.
U.S. Nuclear Regulatory Comission, Human Factors Acceptance Criteria for the Safety Parameter Display System," NUREG-0835 (Draf t Report for Coment), Octeber 1981.
5.
U.S. Nuclear Regulatory Comission, " Clarification of TMI Action Plan Requirements Requircoents for Energency Response Capability," NUREG-0737 Supplement 1. December 1982.
6.
U.S. Nuclear Regulatory Comission, " Standard Review Plan, Chapter 18.2 Safety Parameter Display System; Appendix A - Human Factors Review Guidelines for the Safety Parameter Display System," NUREG-0800, December 1984.
7.
U.S. Nuclear Regulatory Comission, " Progress Reviews of Six Safety Parameter Display 5) stems," NUREG/CR-4797, August 1986.
8.
U.S. Nuclear Regulatory Comission, " Safety Parameter Display System Malfunctions," 1E Information Notice No. 86-10, February 1986.
9.
Nuclear Safety Analysis Center, " Verification and Validation for Safety 1
Parameter Display Systems," NSAC/39, Decenber 1981.
10.
t!.S. Nuclear Regulatory Comission, " Guidelines for Control Room Design Reviews," NUREG-0700 September 1981.
11.
Institute for Nuclear Power Operations, " Guidelines for an Effective SPDS Imp 1tuntation Program," NUTAC, January 1983.
1?. Nuclear Safety Analysis Center, "Fundarental Safety Parameter Set for Eciling Water Reactors," HSAC/21. December 1980, 1
34
2 BIBL10CP.APHY IN 86 10 Nuclear Regulatory Comission, if Information Notice Pe. 86-10:
Safety Paraneter Display System Malf unctions, Ftbruary 1986.
NSAC/8 Puclear Safety Analysis. Center, Nuclear Plant Sefety Parameter Evalrttien by Event Tree Analysis, October 1980.
NSAC/10 Nuclear Safety Analysis Center, Parameter Set for a Nuclear Plant Safety Confole, Novembtr 1980.
NSAC/21 Nuclear Sefety Analysis Center, Fundamente.1 Safety Parameter Set for Boiling Water Reactors, December 1960.
NSAC/39 Nuclear Safety Antlysis Center, Verificction and Valication for Sefety Paranieter Display Systems, December 1981.
NSAC/55 l!uclear Safety Analysis Center, Safety Parameter Display System for the Yanke Atomic Electric Company, August 1982.
NUREG-0505 Nuclear Regualtory Comission, TM1-2 Lessons Learned TcsE Force Final Report, October 1079.
NUREG-0600 huclear Regulatory Comission, Action Plan Developed as a Pesult of the TMI-2 Accident, May 1$00.
NUREG-0696 Nuclear kegulatory Comission, Functionel Criteria 1or Emergency Response Facilities, December 1980.
NUREG-0737 Nuclear Regulatory Comission, Clarificttion of THI Action Plan Reouircraents, hovember 1980.
NUREG-0737 Nuclear Regulatory Comiscion, Supplement 1, Clarification cf TMl Action Ple.n Requirenients, Reauirements for Energency Response Capability, llecember 190F.
NUREG-0800 liuclear Regulatory Comission, Stendard Review Plan, Chapter 18.2 j
Safety Paranieter Displey System; Appendix A - Puman factors Review Guidelines for the Safety Parameter Display System (Draf t HUREG-0835), November 1984 NUREG-0014 Nuclear R(gulatory Commissier,(Nethodology for Evaluation ofDraf t; Energency Response Facilities l
1 NUREG/CR-4797 Nuclear Rtgulatory Comissier, Progress Reviews of Six Safety Perameter Display Systens, August 1986.
)
EFRI NP-2110 Electric Pcwer Reseorch Institute, On-line Power Plant Signal Velidetion Techniquc Utilizing Parity-Space Representation and Analytic Redundancy, November 1961.
35
e s.
EPRI NP-2239 Electric Power Research Institute, Evaluaticn of Safety Parameter Display Concepts, February 1982.
EPRI UP-4566 Electric Power P.esearch Institute, Validation vnd Integrction of Critical PWR Signals for Safety Parameter Dispisy Systems, May 1986.
EPRI HP-5066M Electric Powcr Research Institute, Yalidation of Critical Signals for the Safety Parameter Display System, April 1987.
EPRI NP-3701 Electric Power Research Institute, Computer-Generated Display Systcm Guidelines. Volumes 1 and ?, September 1984.
GA E-2b5-1333 General Atomic, Test Report on Electrical Testing of Isolation Devices, Digital Radiation Monitoring System, May 1985.
GE NEDE-30?84-P General Eltetric, Emergency Response Information Systen, November 1983.
WCAP-7506-L Westinghouse, Test Report, Nuclear Instrumentation System isolation Amplifier, April 1975.
This document is rot publicly availatle because it contains proprietary information.
WCAP-7508-L Westinghtose, Topical Report, Test Report on isolation Amplifiers May 1975.
This document is not publicly available because it contains proprietary information.
WCAP-7819, Rev. 1 Westinghouse, Test Report, Nuclear Instrumentation System isolation tmplifier, January 197?.
WCAP-7819, rev.1-A Westinghouse, Test Report, Nuclear Instrumentation System Isolatier Amplifier, April 1975.
WCAP-7824 Wtstinghouse, Isolation Tests Process Instruncntation Isolation Amplifier, December 1971.
WCAP-8892A Westinghouse. Westinghouse 7300 heries Process Control Systera Noise Tests, June 1977.
WCAP-9011 Westinghouse, Test Reports of Isolation Amplifiers, Part 1 February 1969. Part 2, October 1986.
WCAP-10621 Westinghouse, Westinghouse Thermocouple / Core Cooling Monitor System Test, July 1984.
36
Q e
4
..., o.i.
o.
........,0..
.o.
..i o..u m., m m
'A'," ',$'
BIBLIOGRAPHIC DATA SHEET e
.i e.... o i,.i.e, i..e 3 ini ke.40 But i nit e 3 Li.v.66.ba A Status Report Regarding Industry Implementation of Safety Parameter Display Systems a o.ie as'oai co-*6eis e
.o i.
g
...e
..v aoam.
December 1988 George W. Lapinsky. Jr.
e o.ii an'oai mveo Richard J. Eckenrode. P. Clare Goodman, Richard P. Correia l
April 1989 i....oawao oar.. a.iio
.~o
. i o.coas ei...
. c,
.enonci,ias..on v,i in Division of Licensee Performance and Quality Evaluation Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington D.C.
20555 i
..o.
- o..o on c... a. i.o.....~ o... m o. oc...,,.,.,. c,
...i,.
o..,o.i Technical Same as 7. above.
. ei n.oo co, s aio,,.
6/84 - 11/87 o... i.....,. o i.
o...... c s a=..........
This report provides a summary of the results of the U.S. Nucicar Regulatory Commission staff's review of installed safety parameter display systems (SPDS) at $7 nuclear units. The staff describes its rationale and practice for determining acceptability of some of the methods for satisfying the various requirements for SPDS as well as some methods that the staff has not accepted.
The staff's discussion of identified strengths and weaknesses should aid licensees in solving some of the problems they may be experiencing with their SPDS.
l l
l 1
l
- i. Docvwent.=.gis<s.. m e moacs pesca*>oas it..6t in Control Room Display System Unlimited Safety Parameters
,,,,ev.,,,,,,,,,,,c.,,,,
. ion =i.ieavoei., emoso it ave Unc1assifled
.m Safety Parameter Display System SPDS Unclassified ovueen o,e. css it thici
n.
g UNITE] STATES sm,.i.nt mss mi
,~
f:UCLEAR CE';ULATCRY C:MMISSION
- "5 ' t',3* ' p5 ' "
WASHINGTON, D.C. 20555
,.g.,,,c.,,
OFFICIAL BUSINESS
's y
PEN ALTY FOR PRIVATE U$t. $3'O N
I ? r ' i r 13 a i, y,3 y y g.,
(; s
- t. c C - 0 4 1 9 k
')'f $..)g$ff,ilIC A T I ONS SVCS v.
3% 1 ti t
I
)
i Li M
11 3
I I!
b<<
hl 5
i i
1 5e
.s
\\-
- -