Text

_

1 E

j SYSTEMS INTERACTION PROGRAM FOR MIDLAND UNITS I AND II l

Prepared by Midland Project Safety & Licensing Department i

l miO183-1513a131 January, 1983 9302040099 830128 PDR ADOCK 05000329 l

i i

E PDR

CONTENTS Page No INTRODUCTION 1

ORGANIZATION 4

Spatial Systems Interactions 5

1 Functional Interactions 6

Human Interactions 7

SCOPE OF WORK 8

Spatial Systems Interactions 8

Functional Interactions 14 1

Human Interactions 21 SCHEDULE / COSTS 25 REFERENCES 26 f

i I

f I

miO183-1513a131 Rev 0 l

n 1

INTRODUCTION In mid-1977, Task A-17, was initiated by NRC to confirm that present design and review procedures take into account the potential for undesirable interactions between and among systems. The task was divided into two phases as follows:

Phase I identified areas where interactions between and among systems are pos-sible and have the potential of negating or seriously degrading the perform-ance of safety functions. Phase I identified where NRC review procedures may not have properly accounted for these interactions. The results of Phase I are documented in Reference 1.

Phase II was a follow-up phase to take specific corrective measures in areas where Phase I indicated a need.

In a status summary of Task A-17 (NURE"--n606, November 16, 1981), it was stated that Phase II will not be pursued as an unresolved safety issue. The work originally planned under Task A-17 now will be performed under TMI Action Plan Item II.C.3, Systems Interaction.

An NRC Staff summary letter report on the approach to systems interactions in light water reactors was issued on June 25, 1981 by Thomas E Murley, Director, Division of Safety Technology. The report summarized the present Staff think-ing on the approach to systems interaction programs. This approach divides systems interactions into two groups. One group is for internally caused systems interactions and the second is for externally caused (spatial) systems interactions. This summary further stated that a combination of probabilistic risk assessment, fault trees, failure modes and effects analysis, site walk-downs, etc, can be applied to identify systems interactions.

miO183-1513a131 Rev 0

2 As a part of existing programs, the Midland Plant already has incorporated many of the ideas brought out in the Staff summary. Some of these programs have always been a part of the design, construction, and testing process for the Midland Plant and others are the result of specific CP Co initiatives or NRC Staff requests. The programs that constitute the Midland Plant systems interaction program fall into three distinct phases which are generic to all plants, as outlined in the following paragrapF,

The first phase is an integral part of the design process and is concerned with identifying functional interactions. These functional interactions result from interdependencies between different systems in which the failure of one system could impact upon the safe operation of another system or systems. Questions relative to the functional interactions arise when experience or analysis indicate that the plant design is incomplete or inadequate. When deficiencies are identified, they are usually evaluated in special programs which may then be incorporated into NRC or A/E (Architect / Engineers) generic requirements for example. A: the design basis for nuclear power plants has evolved, unwanted interactions have been identified and an analysis of these interactions has been incorporated into design guides and the review process. As a result, much more is considered today during the design of a nuclear powcr plant than was the case several years ago.

The second phase is concerned with spatial relations between system components and is directed toward identifying potential unsafe conditions which result from the specific as-built layout of plant components. Physical interactions are considered in the design process. To verify that the physical miO183-1513a131 Rev 0

3 interactions were adequately addressed in the design stage, and were not compromised by work in the latter construction stages, the spatial systems interactions programs employ physical inspections, or walkdowns, of specific plant systems. Spatial interactions inspections also help to verify that the plant has been constructed in accordance with design requirements.

The third phase of a comprehensive systems interactions program is concerned with integrating human capabilities into the design and insuring that the plant will be operated and maintained as intended in the original design.

This phase is oriented toward assuring the long term safe operation of the plant.

The following sections present details of the phaces described in general terms above providing the organization, scope of work, schedule and status of systems interactions activities. The activities described have been completed, or are presently being performed, at the Midland Nuclear Plant.

i j

1 l

l

\\

miO183-1513a131 Rev 0

^

^

a 4

ORGANIZATION The Midland Systems Interaction (SI) Program document has been organized by the Plant Control & Operations (PC&O) Section of Consumers Power Company's (CP Co) Midland Safety & Licensing Department. To ensure a well-defined, compre-hensive program, PC&O coordinated the activities of Bechtel-Ann Arbor (the plant architectural engineering firm), Babcock & Wilcox (NSSS vendor),

engineering disciplines at CP Co, and various consultant groups. Also, previous SI documentation from the Atomic Industrial Forum, NRC letters, ACRS comments, and other utility reports were reviewed.

The Midland SI program is divided into three major divisions: (1) Spatial System Interactions, (2) Functional Interactions, and (3) Human Interactions.

Spatial System Interactions (SSI) are defined as the condition where the failure of a system, component, or support (either safety-related or non-safety related) could compromise the capability of required safety systems to fulfill their safety design basis. Functional Interactions result from systems being coupled through process or other interdependencies, such that the failure of one system could impact deleteriously upon the safe operation of another system. Human interactions, which CP Co limits to induced human errors, occur when the operator, through erroneous information is led to take actions that could have an adverse impact on the plant.

l These major divisions and their sub-tasks are depicted in Figures 1, 2, and 3.

The organization and features of each division are described in the following paragraphs. Each division utilizes existing design, construction, testing, and training programs which inherently address SI, although many sub-tasks do miO183-1513a131 Rev 0

)

1 5

not specifically address SI concerns. The sub-tasks that are specifically designed to address SI concerns are the Level I walkdowns described in the following sections.

SPATIAL SYSTEMS INTERACTIONS Figure 1 depicts the function and responsibility of the primary (Level 1) spatial systems interaction program walkdowns. The identification of spatial systems interactions, which may have gone undetected during the design process.

or resulted from as-built conditions, is accomplished through these plant walkdowns, using engineering teams that provide multidisciplinary experience.

Level I walkdowns address potential proximity, Seismic II/I, high-energy line break analysis (HELBA), internal missiles, and flooding concerns and provide the primary spatial interaction detection mechanism. Supplementing the Level I walkdowns are the Level 2 walkdowns: piping stress, fire protection, thermal growth, and system or area turnover concerns. Level 2 walkdowns will be discussed only briefly as they address specific concerns of more limited scope and are supportive of the Level 1 effort.

Level I walkdowns are not an afterthought in the Midland design. Although limited in scope the need for, and benefits of, plant walkdowns was recognized prior to the beginning of construction. The walkdown scope has increased significantly during construction primarily as a method of providing a programmatic verification that design requirements were met.

To provide direction in developing procedures, selecting walkdown team mem-bers, and defining responsibilities, PC&O has written a Task Description for the Level I walkdowns (Reference 2).

From the requirements stated in the Task miO183-1513a131 Rev 0

6 Description, Bechtel has developed an " umbrella" technical specification (Reference 3).

This specification defines the overall scope of the Level 1 SSI tasks. Individual specifications and procedures for specific walkdowns define the scope of Proximity-Seismic II/I; KELBA, Missiles, and Flooding. As shown in Figure 1, specific walkdown procedures, developed under the umbrella procedure, assure that CP Co will have input into procedure development, selection of site team personnel, actual site walkdowns, resolution of identified concerns, and implementation of corrective actions. Also, CP Co Midland Project Quality Assurance Department (MPQAD) personnel have been integrated into this process throughout its development. MPt)AD, for example, will audit the walkdowns to ensure their compliance with the applicable Bechtel procedures.

FUNCTIONAL INTERACTIONS As indicated in Figure 2, the identification of adverse functional interac-tions is accomplished under five distinct tasks, with heavy reliance placed on the Design Control and Preoperational Testing tasks.

In the Design Control task, an interdisciplinary review is required to ensure that the design interfaces between the various engineering groups are properly defined.

Preoperational checkout and testing of systems at Midland is used to confirm the absence of unacceptable functional interactions during specific operating modes and evolutions. Preoperational testing demonstrates the capability of the equipment or system to meet design performance and safety criteria, provides baseline and operating data from whien future operational anomalies may be identified, and demonstrates the ability of the Nuclear Steam Supply miO183-1513a131 Rev 0

7 System (NSSS), auxiliary systems, and related secondary systems, to operate properly from cold conditions to hot, zero power conditions.

In the PRA and Control Systems Failure Evaluation tasks, selected safety and non-safety systems are subjected to probabilistic risk assessment analyses and failure mode and effects analyses (FMEA) to identify potential adverse

' interactions.

In general, the PRA's and FMEA's are conducted by consultants under management control of CP Co's Safety & Licensing Department.

Input also is provided from Bechtel and B&W (the nuclear steam supply system vendor).

Certain FMEA's have been initiated by Bechtel as part of the design requirements.

The Safety & Licensing Department systematically reviews nuclear industry operating experience to further identify functional interactions. Documenta-tion, including NSFS vendor reports, INPO reports and Licensing Event Reports (LER's), are reviewed to determine their applicability to Midland.

Informa-tion from preoperational checkout and testing of systems at Midland also is used when available.

HUMAN INTERACTIONS Potential human interaction concerns are identified through tasks that involve a human factors review of the control room design and procedures, review of pressurized water reactor operating experience, and selected PRA analyses (see Figure 3).

Increased operator training with input from these sources, along with the development of Abnormal Transient Operating Guidelines (ATOG) by B&W, have increased the operator's capability to identify and react to problems.

miO183-1513a131 Rev 0

8 SCOPE OF WORK SPATIAL SYSTEMS INTERACTIONS The spatial systems interactions (SSI) program utilizes physical walkdowns to identify conditions where the failure of a system, component, or support (either safety-related or non-safety-related) could compromise the capability of required safety-related systems to fulfill their safety design function.

These conditions were considered during the plant design phase; however, the possibility exists that an interaction was inadvertently overlooked or has resulted from installation. Physical plant walkdowns are performed to verify that the designer considered all interactions and that new concerns have not been introduced during construction as che result of field routing of commodities or improper installation. These walkdowns do not replace the QA/QC inspections normally associated with either installation or design of systems.

[

The primary Level 1 physical inspection or plant walkdowns are: (1) combined Proximity-Seismic Category II/I, (2) HELBA, (3) Internal Missiles, and (4)

Flooding walkdowns. The function and team composition for each of these

(

walkdowns are described in the following paragraphs.

Proximity - Seismic II/I Since the experience requirements and team composition are the same, the Proximity and Seismic II/I inspections are combined into the same walkdown.

The teams have a representative from Bechtel's Licensing & Safety group as the miO183-1513a131 Rev 0

9 team leader, and include representatives from Bechtel's civil, mechanical, electrical, and small pipe and hanger engineering groups.

The purpose of the proximity walkdown is to identify interferences resulting from seismic motions which could impair the ability of safety-related systems to perform their required safety functions. Some of the interferences considered are interferences between adjacent piping, cable trays, instrument lines, conduit, mechanical equipment, building steel and I-beams, heating and ventilation ducts, and supports. The purpose of the Seismic II/I walkdown is to identify Seismic Category II (non-seismically supported) components whose support failure could impact a safety grade commodity or support and impair its required safety function. The walkdown teams are composed of members from various disciplines having at least two years experience each. This assures a broad experience base from which the walkdown team can draw.

Prior to participating on a Proximity-Seismic II/I walkdown team, prospective team members are given several hours of classroom training and several days of on-the-job trainir ; with an experienced team member. New team members usually experience a fairly steep learning curve which levels off after participation in 4-5 days of walkdowns. The on-the-job training allows the new members to ascend the learning curve before participating in an " official" walkdown.

During the training sessions team members are instructed to be alert for non-safety /non-safety interactions which also might impair operability.

CP Co's MPQAD and Site personnel also have the options of auditing and participating in walkdowns.

To provide better control of the Proximity-Seismic II/I walkdowns, the Midland Plant has been subdivided into approximately 250 physical entities which have miO183-1513a131 Rev 0

10 definable boundaries. These are referred to as modules and comprise the basic unit covered in a walkdown. Modules may consist of more than one room.

A checklist of potential spatial interaction problems is made available to team members during the training phase. The checklist was developed as part of the Task Description (Reference 3) to assist in identifying potential in-teractions.

It is emphasized during training that the checklist is only a suggested list of common concerns and is not intended to restrict inspection and documentation of other potential adverse systems interactions.

During a walkdown potential interactions are documented and indexed by room or module for later resolution. The resolution of each potential adverse inter-action is addressed by the Bechtel Supervisory Engineers of the affected 7

disciplines, or their designated representatives and documented. While some resolutions may require design changes and hardware r.odifications, other resolutions may consist of technical justifications which demonstrate that either the potential interaction has no significant consequence or the conservatisms in the installation / design criteria resulted in an over design and thus no adverse interaction exists.

HELBA The HELBA walkdown teams consist of nuclear engineer (s) from Bechtel's Nuclear Special Studies group and Bechtel civil engineer (s). One of the nuclear j

engineers is the designated team leader. The nuclear engineers are experi-enced in the determination of pipe break locations and the resulting " jet zones of influence".

l l

i m10183-1513a131 Rev 0 l

-,y

.. ~ - - -

11 HELBA walkdowns are performed in two phases. The first phase involves a preliminary walkdown in which primary emphasis is placed on identifying potential jet impingement on safety-related conduits and junction boxes.

Because conduit runs are not shown in their actual locations on any drawings, it is not possible to identify the jet-conduit interaction by reviewing draw-ings, or to analytically determine the jet zones of influence, identify targets, and calculate the magnitude of jet force, as is done with other HELBA-affected equipment.

1 The second walkdown phase is used to verify the analytical calculations developed for non-conduit targets. The consequences of any new or relocated safety-related conduits al a are addressed. The Phase 2 walkdown is performed near the time of turnover to testing personnel,(construction essentially completed).

Because the Special Studies Group personnel involved in the HELBA walkdowns are experienced in HELBA analytical techniques, no formal training sesions are required prior to beginning the walkdowns. The analytical experience also is a factor in determining the disposition of any potential impingement problems identified. Whenever possible, the resolution is accomplished and documented during the walkdown.

l Internal Missiles The internal missiles walkdown teams consist of two or more members of i

Bechtel's Nuclear Special Stadies Group who have experience in the analytical determination of potential missiles and their targets. The internal missiles miO183-1513a131 Rev 0

12 considered include nuts under tension, pump parts, and other NSS and non-NSS items listed in Section 3.5 of the FSAR.

The purpose of the walkdown is twofold:

(1) to verify the missile analyses which have been performed based on design drawings and calculations; and (2) to identify safety-related commodities in missile trajectory zones that are not within the scope of calculations (eg, conduit and instrument tubing).

Missile walkdowns are performed in two phases, a preliminary and a final, based on the percentage completion of the area being inspected.

Resolution of identified problems and d'ocumentation of the resolutions will be done by the walkdown team in the field or in conjunction with other disciplines in Bechtel's Ann Arbor office, and may include recommendations to add missile barriers and/or rerouting of conduit and instrument tubing. Since this team is intimately familiar with the issues involved, no formal training is required.

Internal Flooding The internal flooding walkdown teams consist of two or more members of Bechtel's Special Studies Group who have experience in flooding analyses. The internal flooding walkdowns are performed beginning 90 days prior to area turnover for testing so that construction has essentially been completed.

They provide verification for the flooding analyses which are based on design drawings and calculations.

The physical walkdowns encompass all rooms / areas that contain flood sources and all rooms which communicate with these rooms. Resolution of identified flooding concerns, and documentation of the resolutions are performed by the miO183-1513a131 Rev 0

13 walkdown teams in the field. They may result in recommendatioca to relocate safety-related equipment or the addition of spray shields or penetration seals. Again, no formal training is required for this team because of their familiarity with the issues.

Supplementary Walkdowns The primary walkdowns (Level 1) discussed above cre supplemented by other walkdowns (Level 2) that address fire protection, stress, thermal growth (actually a part of stress), system or area turnover walkdowns, and potential concerns discovered during preoperational testing of systems. Through these supplementary walkdowns, individuals with different perspectives and concerns are brought into evaluation of the same systems covered by the Level 1 indi-viduals. The results of these supplementary walkdowns will increase the level of confidence in the systems interaction program at the Midland Plant.

Adverse interactions that requires design changes are brought to the attention of the CP Co Midland Site Technical Superintendent, to determine the impact on site activities, and/or to the Mechanical Section Head of the Design Production Depsrtment for concurrence and to determine the impact on engi-neering activities. The approval of corrective modifications will be the responsibility of CP Co's Design Production Department if the affected system has not been turned over for testing.

If the system has been turned over for.

testing, the CP Co site organization will assume responsibility for these activities.

miO183-1513a131 Rev 0

14 FUNCTIONAL INTERACTIONS Functional interactions are interactions introduced by coupling between pro-cesses. To detect adverse interactions which might result in unwanted systems operations, a variety of controls, analyses, and tests are used.

Design Controls The initial identification of potential adverse functional interactions is accomplished through Bechtel design controls. These controls include indepen-dent review of design documents by personnel in the same discipline as the originator, interdisciplinary reviews performed in accordance with procedures, and requirements that design changes receive the same detailed level of review as the original design. These reviews address spatial interactions, as dis-cussed earlier, as well as functional interactions. Throughout the design phase, functional interactions are carefully scrutinized through operations-related evaluations and analyses techniques. These insure that a high degree of confidence exists in the capability of systems to perform their intended function and that there are no adverse functional interactions which could l

compromise the capability of these systems to meet their safety design bases.

l To supplement the initial design control efforts, for identifying functional interaction concerns, the following tasks are being performed.

Systems Analyses Numerous systems analyses involving systems such as the Engineering Safeguards l

l Actuation System (ESFAS), Nuclear Instrumentation / Reactor Protection System l

(NI/RPS), Integrated Control System (ICS), Radiation Monitoring System (RMS),

miO183-1513a131 Rev 0 i

L

15 v

Process Steam System (PSS), and the Main Feedwater and Condensate System have been performed on the Midland plant. These analyses were usually in the format of a probabilistic risk assessment (PRA) or a failure modes and effects analysis (FMEA).

Quantification of the availability of a system to perform a function when demanded is best accomplished through a probabilistic risk assessment. The primary objectives of the Midland PRA program, with regard to systems inter-action, are to model the following: (1) plant response (including inter-system dependencies) to hypothetical initiating events, and (2) identification and quantification of scenarior leading to safe shutdown, or potential for core damage and possible radioactive releases.

The Midland Project has formed a PRA working team comprised of CP Co General Office and Site personnel, personnel from the PRA consultant, and participants from Bechtel and B&W on an as-required basis.

In order to streamline work and clarify responsibilities, the team is organized with a single point of contact between the CP Co project coordinator (staff engineer from Safety & Licensing) and the consultant's project manager. This team has theoretical and practical experience in a variety of areas. The consultant provides the primary PRA expertise and CP Co and Bechtel provide the Midland design and operations l

expertise. The systems evaluated are limited to the safety grade s'/ stem plus l

l selected non-safety systems, such as off-site electrical power.

To facilitate risk quantification, the systems analyzed in the Midland PRA project are categorized into two groups, referred to as " front line systems" and " support systems." The distinction is that the response of a front line system to initiating events uniquely determines the outcome of accident-(

l miO183-1513a131 Rev 0

a.

1@

sequences. Support systems, by contrast, do not have a direct bearing on the outcome of an accident scenario, but influence the frequency of failure of main line systems. They are, therefore, just as important. Some important support systems at the Midland Plant have been identified as:

o On-site and Off-site AC Electric Power o On-site DC Electric Power o Service Water o Safeguards Chilled Water o Component Cooling Water In most cases, front line systems which depend on these auxiliary systems would be expected to fail within a certain time frame if the support functions are lost. Hence, the frequency of failure of front line systems is, in these cases, conditional on the status of the support system.

Further complications in risk analysis occur because there usually are a number of front line systems which depend on the same support systems. Also, proper functioning of some support systems is dependent upon other support systems, eg, service water pumps depend upon AC power.

Typical dependency relationships between main line systems and auxiliary systems, used in conducting the Midland PRA, are shown on Table 1.

These dependencies are reflected in the logic models (event trees, fault trees and "G0" models) used to characterize the plant response to an initiating event.

They are used to quantify the frequency of each resulting scenario. The PRA effort provided an independent systematic review of plant systems and their interrelationships. Unwanted interactions which may have slipped through the miO183-1513a131 Rev 0

17 design review process can be identified. A comprehensive explanation of the Midland PRA and the details of the modeling process will be provided in the final PRA report.

The PRA analysis does not include detailed system analyses of the non-nuclear instrumentation (NNI) and integrated control system. To augment these analyses, a failure modes and effects analysis was performed by Babcock &

Wilcox. Though these systems are independent of the safety-grade systems and, with the exception of the nuclear power indication / trip, do not share instrumentation with safety-grade systems, they are nevertheless capable of having a significant impact on the operation of the plant.

The scope of the FMEA was to identify power sources, sensors, or sensor impulse lines which serve two or more non-safety grade control functions and then to demonstrate that failures of these functions would not result in consequences outside the bounds of existing FSAR safety analyses. A separate analysis verified.that proper operation of the ICS during a transient would not result in consequences outside the bounds of existing FSAR safety analyses. For the FMEA, the analysis of NNI and ICS failure modes and effects included the following events:

1.

Single instrument failures

(

2.

Power supply failures 3.

Common sensor impulse line failures The analysis of single instrument failures consisted of postulating failures of control system inputs and outputs one at a time, and then evaluating the effect on the plant. NNI and ICS power supplies were investigated to miO183-1513a131 Rev 0

o 18 determine if a power supply failure could cause a failure of more than one control function and to determine if the resulting plant responses are bounded by FSAR Chapter 15 analyses. The designs of the NNI and ICS incorporate redundant power supplied to each system with normal and backup AC and DC power "arctioneered" within ICS, NNI-X, and NNI-Y cabinets.

There are no credible single failures of external or internal power supplies which will result in loss of any NNI or ICS function. However, for the purpose of analyzing plant response, losses of AC power and losses of DC power were separately postulated for the NNI-X, NNI-Y and ICS. The evaluation of common impulse line failures consisted of identifying sensor impulse lines which provide signals to more than one control function and evaluating the failure effects.

Preoperational Testing s

Both the PRA and FHEA tasks utilize analytical techniques to identify poten-tial functional interactions. Preoperational testing of systems is used to provide further confidence in the analytical results and the functional capabilities of the systems. A secondary benefit of the preoperational testing program is that spatial or human interactions may also be identified.

At Midland, CP Co conducts the test program and a test engineer is assigned to each major system for preoperational testing. Preoperational testing provides the initial opportunity for site personnel to observe the effects of system operation, such as fluid flow and heat-up effects. This enables the site engineers to identify anomalies, such as interference and localized piping vibrational problems resulting from thermal growth and unacceptable pipe miO183-1513a131 Rev 0

19 support and pipe movement.

In effect, the preoperational testing servee as a further check on the completeness of the spatial systems interactions tasks covering stress / thermal growth and the systems turnover walkdowns.

The resolution of concerns identified during preoperational testing is nor-mally done through the processing of site problem reports which are written by the site engineers to describe the concern in detail. Processing of site problem reports is performed through approved procedures as described in the beginning of the section on Design Controls.

Additional Checks & Balances As construction progresses changes in the field may occur which could result in adverse interactions. The primary safeguard to prevent this occurrence is imposing the same design controls on field changes as exist on the initial design. Adverse interactions resulting from modifications following commercial operation are also guarded against in two other ways.

The first check for adverse interactions is the preventative maintenance-programs which verify that the equipment will perform as designed and that individua.1 settings (relays or trips, for example) are within tolerance. For example, if a time delay relay is not performing properly, out-of-sequence system interactions may result. An example of testing a complex component would be the periodic testing of sequencers to verify there has been no deterio:1 tion in performance.

l The second prevention against SI's is the periodic testing of automatic fea-tures of various systems through actual system tests. The most elaborate test i

l is the loss of off-site power coincident with an ECCAS.

In this test, all 1

miO183-1513a131 Rev 0 L__

20 emergency equipment associated with an ECCAS and the diesel generator are required to function automatically, thus testing the system in an integrated manner as would be required in an actual emergency.

Operating Experience Review 1

Reviews of nuclear industry operating experience allow CP Co to become aware of problems, including various systems interactions, and to take pre-emptive or corrective 3(; tion to guard against such unexpected transients and conditions. Many types of equipment failure are normally found only through experience. Through these reviews a repeat of such an incident may be avoided.

The responsibility for operating experience reviews and determination of applicability to the Midland units has been assigned to the Plant Control &

Operations Section of CP Co's Safety & Licensing Department. NRC correspon-dence such as I&E Bulletins, Circulars, Information Notices, and filtered industry operating experience, such as INP0's Significant Operating Event Reports (SOER's), are included in these reviews. NSSS vendor experience at 4

other B&W plants is given specific attention through the review of B&W's Operating Experience and Preliminary Safety Concern (PSC) reports. Emphasis in this area helps to identify vendor-specific problems which may not be apparent or surface in the INP0/NSAC reviews in a timely manner.

CP Co operational or design praccices may introduce concerns which may be identified at other CP Co plants and should.be addressed through a review of the Licensee Event Reports (LER's) for CP Co's Palisades and Big Rock nuclear plants. Other documents such as INP0's Significant Event Reports (SER's),

miO183-1513a131 Rev 0

21 Nuclear Operating Experience, and special investigations are reviewed as deemed appropriate.

A formalized system has been established for the review of the above sources.

All documents are reviewed and a preliminary engineering evaluation performed by the responsible PC&O engineer or his designated alternate..If the document is applicable, a detailed evaluation is performed by a knowledgeable' person and then reviewed by affected departments for accuracy.

If, during the course of the preliminary engineering evaluation, the document under review is determined to contain significant information relative to l

testing, it is forwarded to the Site Technical Supervisor for review relative to the Site testing program.

If appropriate, a letter containing an approved recommendation is forwarded to the appropriate organization, directing implementation of the corrective action.

i HUMAN INTERACTIONS In considering human influence (errors) on systems interactions, CP Co has limited its scope of concern to induced human errors. These are errors caused by the operator being misled or confused by the information available. Sys-tems interactions resulting from these types of errors are addressed by placing special emphasis on operator training, control room design reviews, and a review of nuclear power plant operating experience documentation.

!I L

miO183-1513a131 Rev 0

e j

22 Operating Experignce The mechanics of operating experience reviews are covered in the Functional Interactions section of this report. Reviews of operating experience are based on the realization that in some circumstances operator awareness of a potential problem and training can prevent the problem scenario from recur-ring. When a situation that warrants operator awareness is identified, the Training Department is notified s.o that the situation can be included in the training program.

Operator Training Operator training for Midland personnel will permit the operator to cope with systems interactions in a variety of ways. One aid will be the Abnormal Transient Operating Guidelines (ATOG) developed specifically for the Midland units by B&W.

In the past, emergency procedures and operator training concentrated on single event accidents.

But, as the accident at Three Mile Island demonstrated, several things may go erong simultaneously. The virtue of ATOG training is that the operator is not limited by, nor required to rely solely on, the designer's foresight in providing key alarms or indications for every conceivable event that could occur. ATOG emphasizes the recognition of basic symptoms (such as an upset in the core to secondary system heat trans-fer) as scurces of information to determine the correct operator action.

In this manner multiple failures are addressed in a manner to which the operator can respond more effectively.

The ATOG documents will form the basis for the development of the emergency operating procedures. Prior to plant operatior, selected procedures will be miO183-1513a131 Rev 0

23 validated from a human factors standpoint by members of the Midland opera-tional staff, who will walk through the procedures in real-time. The walk throughs serve to tie together all aspects of the Human Interactions stage of the SI program, and may be used to evaluate the adequacy of the control room design and emergency operational procedures.

A plant-specific simulator is being installed at Midland which will be opera-tional by May 1983. This will allow plant-specific training to be given to the Midland operators, and they will not have to rely on outside services or the facilities of the NSSS vendor. The simulator permits training with special situation procedures and simulated equipment failures in a plant-specific control room atmosphere. Team training also is greatly enhanced on a plant-specific simulator. This will assure a coordinated response during an actual emergency by the shift complement. Also, the plant-specific simulator may be used to help identify potential problems with the control room design which can be factored into future modifications.

Control Room Design Review A human factors design review of the Midland Nuclear Power Plant control room was initiated in February 1981 to identify aspects of the design which might increase the probability of operator error. The review was divided into four tasks: (1) preliminary design review (identification of Human Engineering Discrepancies (HED's)); (2) detailed task analysis; (3) enhancements (functional grouping, demarcation of groups, and hierarchial labeling of components); and (4) verification and validation of the control room functions.

aiO183-1513a131 Rev 0

24 The control room design review is being performed using a mock-up of the Midland Unit 2 control panels and the panels common to both units. The Unit I and Unit 2 control room panels are basically the same; therefore potential problem areas identified on Unit 2 are also applicable to Unit 1.

The control room improvement effort has, from the very beginning, been ap-proached as an integrated effort; that is, modifying the control room should not be done without regard to the actions being performed in the control room.

The operating procedures (emergency and normal), panel enhancements, computer displays, guidelines for writing operating procedures, training philosophy, etc, must be integrated before a final resolution of the control room review can be reached. Only in this manner can an optimum solution be reached for the Midland control room environment.

Throughout the control room design review a multidisciplinary team approach is used. This consists of representatives from CP Co's plant design and plant operations groups, industry consultants in human f actors, and technical input from selected areas of the A/E and the NSSS vendor. The review processes implemented are in accordance with the six processes outlined in Section 3.2 of NUREG-0700.

This process assures that the operator is presented with information that is needed and that operating procedures can be easily followed during a transi-ent, thereby minimizing the possibilities for misinterpretation, miO183-1513a131 Rev 0

25 SCHEDULES / COSTS Table 2 summarizes the scheduled completion dates, manpower estimates, and costs associated with the Midland Plant Systems Interaction activities.

Manpower estimates forecast the man years that will be expended by CP Co, Bechtel, B&W and consultants through the scheduled July 1983 fuel load date for the first Midland unit. As noted in Table 2, the estimates do not include any afforts required to implemenc fixes for problems identified by the SI s

program which are determined to be valid concerns. A goal of completing necessary modifications prior to Hot Functional Testing has been established.

i l

I f

(

miO183-1513a131 Rev 0 l

26 4

REFERENCES 1.

NUREG CR-1321, Final Report Phase 1, Systems Interaction Methodology Application Program, April, 1980 2.

Midland Safety & Licensing Department Task Description for Spatial Systems Interaction Procedures, Rev 5, March 22, 1982 3.

Tec; i. cal Specification for Spatial Systems Interaction Program for the Consumers Power Company Midland Plant, Units 1 and 2, Specification No 7220-L-002 (Q) e miO183-1513a131 Rev 0

(.

o s

i r

1/

l TAa!.E 1 KEY INTERSYSTDI DEFENDENCIES IDENTIFIED FOR HIDIAND PROJECT 3

FRONT t.INE SYSTDtS Fower-g g

High 4

Operated Recirculation L

' Containment Fan Relief Auxiliary Hein Froe SUFroRT SYSTpts icontainment Pressure-ow-Fressure Isolation injection Injection Spray Coolere Velve Feedwater

'Feedveter Sump A

B 5

A B

A 5

A B

A B

A 3

j A B

A

.I Feet Dead tus l

l Transfer 5

X e

I g

Essential A IX{gg i X I

X X

X X

N e

i DC III i

I a

X I-I X

I X

X l

X Essential A E

I X

'I I

I X

g X

X(1)

I3) I X

I I

I X

X Service A

X( }

lX(2) g(3)

II l

X(2) i I(2)

X(3)l Water 8

e (4) l (6),

a X

,X X

Safeguardo A X

I I

I Chilled I

, {y) j Water 5

I I

'I X

i Component A

IX X

8 e'

! (5) l A

i Cooling l

i I

Water e

i.

X.

I (5)

I III X

ESFAS A

I g I I

I i X F9wer supply 8

?

I I

I I

I X

X I

l (1) only faite if volves are open.

(5)

MainfeedonUnit2goesumedtoremainfunctional. gay seele tells but pun falls if service water trata a

fails, (2) heaults froe failure of component cooling (6) ester or esfeguarde chilled water.

(7) Net true for station blackout case.

(3) Results from failure of esfeguards chilled t

water system.

(4) Resulte In lose of one nurce of AfWS feed supply, backed up by condeneste storage tank, hotwel and deserstor storage, tank.

/

I I

i

1 4

TABLE 2 SYSTEMS INTERACTION ESTIMATED COMPLETION COSTS AND SCHEDULFS Estimated ( )

Estimated Man Power Completion (Man Years)

Spatial Systems Interactions 1.

Proximity / Seismic II/I Prior to HFT 40 2.

HELBA Prior to HFT 1.5(2)

.5f2 3.

Flooding 9/83 2

4.

Internal Missiles 8/83

.5 Functicaal Interactions Design Controls ( )

1.

2.

ControlSystemsFailureEvaluggjons/PRA 4/83 21 3.

OperationalExperience(ggview 3

4 Preoperational Testing Prior to Fuel Load Human Interactions Operator Training (')

6/83 10 1.

2.

Control Room Design Review 6/83 10 (5) 3.

Other 1/84 NOTES

(

Manpower estimates do not include implementation of recommended fixes for identified problems.

) Manpower estimates do not include analyses work prior to walkdowns.

(3) Because of the difficulty in separating hours devoted to SI from hours attributed to normal functions, no hours are considered to be dedicated solely to identification of system interactions.

(/. T' These are functions that are expected to be ongoing for the life of the plant. The manpower estimates represent expenditures up to projected fuel load.

(5) These manpower estimates are included in other estimates of the table.

miO982-1317b131 Rev 0

,n

FICURE 1 SPATIAL SYSTDiS INTERACTIONS Prepare Task Description _

CP Co Safety & Licensing V

Develop " Umbrella"

,,,,Jechnical Specs Bechtel Safety

& Licensing e

Review & Consnent CP Co Safety & Licensing MPQAD, Design Prod, Site Personnel V

Develop Specific Walkdown Procedures 9r V

V

-- +l CP Co Satety Proximity Seismic II/I HELBA, Tlooding, Missiles CP Co Safety &

& Licensina Bechtel Safety & Licensing Bechtel Nuclear 1.icensina i

v y

Select & Train Select Walkdown Teams From Special Studies Site Teams Groups F

V CP Co Site Perform Site Audit Perform Site Walkdowns, Personnel Walkdowns & Docu-1

--* Verify Analytical Calculations ment Potential

,,,122AE Identify Potential Interactions Interactions Not Shown On Drawings Y

Recommend Reso-CP Co lution of Reconsnend Resolution.

CP Co Design Interactions Of Identified W

Design Concerns Production Production Bechtel Design Disciplines V

Impicnentation of Fixes i For Syntems Not For Systems Turned Over For Testing l Turned over-For

--===...

.....t...-- T m tir3,

CP Co Site Engineer CP Co Desir.n For Affected System i

Production

PPA Personnel Consultant

(

Training, Emergency Operating

)

Procedures f n

BOP Criteria 1r B&W Systems Bechtel i

g,

,r Design Controls B&W 2

Midland Bechtel Safety Midland Design Licensing Production Operational Experience f

Review

(

Ilardware Midland l

Modifications Site Preoperational Testing Midland Test Engineers FIGURE 2 FUNCTIONAL INTERACTIONS

o Control Room Design, Review Operational B&W Operating Human Factors

. lant

erience, er e e Review PCS s, Consultants CP Co Experience SOER's, Etc

!!idland Safety & Licensing /

Plant Operating PRA Staff 4

Consultant, Bechtel, B&W w

a Simulator Training Operator Training, B&W ATOG Documents Procedure Development FIGURE 3 HUMAN INTERACTIONS

_... -