ML20083D542
| ML20083D542 | |
| Person / Time | |
|---|---|
| Site: | Seabrook  |
| Issue date: | 09/24/1991 |
| From: | Feigenbaum T PUBLIC SERVICE CO. OF NEW HAMPSHIRE |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| Shared Package | |
| ML20083D543 | List: |
| References | |
| NYN-91155, NUDOCS 9110010064 | |
| Download: ML20083D542 (7) | |
Text
t New Hampshire Y.
hh Ted C. leigenbaum President and Chief Executive Officer NYN-91155 September 24, 1991 United States Nuclear Regulatory Commission Washington, D.C.
20555 Attentina:
Document Control Desk
References:
(a)
Facility Operating License No. NPF-86, Docket No. 50 443 (b)
USNRC Letter dated June 11,1990, " Response to NRC Generic Letter 89-06 on the Safety Pan ameter Display System for Public Service Company of New Hampshire (MPA F-072, TAC NO. 73706)," V. Nerses to E. A. Brown
Subject:
c 'ompletion of License Condition 2.C.(3), Human Factors Engineering Gentlemen:
The Seabrook Statioe Facility Operating License, NPF-86, contains two License Conditions regarding human factors engineering that must be completed prior to startup from the first refueling outage.
Specibcally, License Condition 2.C.(3), Human Factors Engineering, states:
"Before startup following the first refueling outage, PSNil shall resolve the following remaining Safety Parameter Display System issues:
(a)
Perform system availability calculations including Reactor Vessel Level Indication System and Radiation Data Management System and pravide a report to the staff.
(b)
Perform system load test under heavily loaded plant conditions and provide a report of the evaluation to the staff."
New Hampshire Yankee (NHY) has performed an availability study of the Safety h
Parameter Display System (SPDS), which includes the Reactor Vessel Level Indication System Q
and the Radiation Data Management System. SPDS avaliability during the period between ao March 12,1990 and July 28,1991 was 99.18 percent. This period includes the first operating 30 cycle of Seabrook Station.
l e.o
'y Additionally, the SPDS function of the Main Plant Computer System (M6.S) was ioc tested under heavily loaded conditions during the Power Ascension Test Program. SPDS 3$
response time was measured aral determined to be acceptable. Based upon be above, NilY l
l-8 concludes that License Condition 2 C.(3) has been satisfied. Detailed information regarding l$
the results of the system availability calculations and the system load test is provided as e a_a. to this letter.
7 New Hampshire Yankee Division of Public Service Company of New Hompshire 00 OW<()p.3.~n P.O. Box 300 = Seabrook, NH 03874 = Telephor.e (o03) 474-9521 fi 1
~
s \\
t
- ]
i 4
. I
-United States Nuclear Regulatory Commission September 24, 1991 i
Attention:
Document Contrcl Desk Page two i
. Reference (b) requested ' that NilY notify the NRC staff in writing upon full implementation of the SPDS. Completion of the system availability study and load test as described above completes all commitments affecting SPDS implementation. New Hampshire Yankee considers the SPDS to be fully implemented at Seabrook Station.
j Should you have any further questions regarding this matter, please contact Mr. James M. Peschel, Regulatory Compliance Manager, at (603) 474-9521, extension 3772, i
Very truly yours, fg,h.L b~
Ted C. F igenbaum TCF:G K '
cc:
Mr. Thomar T. Martin Regional' Administrator United States-Nuclear Regulatory Ccmmission Region I
- 475 Allendale Road King of Prussia, PA 19406 Mr. Noel Dudicy NRC Senior Resident Inspector P.0,' Ilox 1149 Seabrook, Nil 03874 Mr. Gordon E. Edison, Sr. Project Mgr.
Project Directorate 13 L
Division of Reactor Projects U.S. Nuclear Regulatory Commission -
Washington, DC 20555 L..
-P-?.
-9.
e,r
--+------w+--.
i'a c-m-d
u
~...
New llampshire Yankee September 24, 1991 ENCt.OSUR H I TO N' N-41155 i
11 1'
i l -.
i s.
2
.=
m,.
,-e w
-4 ve tv
License Condition 2.C.(3Nn) p Perform system availability calculations including Reactor Vessel Level Indication System and Radiation-Data Management System and provide a report to the staff.
NHY Response:
j}ackcround Information:
The Main Plant Computer System (MPCS) at-Seabrook Station is a dual host system with ten Intelligent _ Remote Termination-Units (IRTU) in a star configuration. Each IRTU ll uses two Central Processing Units (CPU) to pro;ess field datai Additionally, there are two l
other computers linked to the MPCS supplyirg data; the Radiation Data Management System I
(RDMS) and the Reactor Vessel Level Indication System (RVLIS). The Seabrook Station j
Safety Parameter Display System (SPDS) is a FORTRAN program on the MPCS which 1
consists of eight Critical Safety function (CSF) status trees. -The status tree titles are
. Suberiticality, Core Cooling, Heat Sink, Integrity, Containment, Inv.atory, Emergency Coolant L
Recirculation and Radiationi L
i i
NHY has undertaken an availability study of the Main Plant Computer System and the SPDS during.the first year of power operation. The logic is designed such that the SPDS 1
is considered available/ operable when the following conditions exist:
1)-
At least one MPCS host is operational.
I
- 2) _-
. For IRTU's 1 through 7, at least one CPU is operational and all wide range i
analog input subsystems are operational. (IRTU's 8, 9 and 10 do not supply inputs to SPDS.).
- 3).
Fo: the RDMS, at least one system is operational and communicating with the prime host.
j 4)-
For the RVLIS, that both Train - A and Train B _ are communicating with the prime host.
j The effect of an IRTU or data link (RDMS, RVLIS) failur_c on SPDS is determined
.by multiplying the number of seconds the IRTU or link -is failed by the fraction of SPDS CSF status trees that are affected. For example, IRTU 1 provides input to 7 trees; there are a total of _8 CSF status trees; _therefore, if IRTU 1-is down for 10 seconds, SPDS -
. unavailability is calculated as:
L SPDS unavailability = 10 sec x 7/8 or ~8.75 seconds.
The effect of each IRTU, data link and dual-host failure is_ summed and a percentage is calculated. SPDS availability during the period between March 12,1990. and July 28,1991 was 99.18 pe'rcent. This' period includes the first operating cycle of Seabrook Station. Two
- events produced a major effect on the first cycle availability. The first event was loss of the -
RDMS_ data link for_.ove(43 hours4.976852e-4 days <br />0.0119 hours <br />7.109788e-5 weeks <br />1.63615e-5 months <br /> during the period May 5-7,-1990.
The second was loss l
of RVLIS Train B for 105 hours0.00122 days <br />0.0292 hours <br />1.736111e-4 weeks <br />3.99525e-5 months <br /> during the period December 11-15, 1990. While the RDMS' l
loss was due to a system software problem, the RVLIS loss was caused by a hardware failure 1
in the RVLIS cabinet. The loss of the RDMS d,aa link affected only two of the SPDS trees; and the RDMS ccmputer workstation in the control room remained operational the entire time. The RVLIS failure also only affected two CSF status trees, but the Train A system remained operational so that some RVLIS data was suppiled to the affected trees.
License Condition 2,C.(3MM Perform system load test under heavily loaded plant conditions and provide a report of the evaluation to the staff.
NHY Resoonse:
NHY -performed the system load tes; during the Power Ascension Testing Program (P ATP). Startup test ST-43, " Process Computer", while encompassing computer point and calculation validation, included four sections dedicated to testing the SPDS function. of the MPCS under stressful loading conditions. In order to impose a realistic stress condition on the MPCS and SPDS, the four sections of ST-43 were performed during the performance of other PATP tests; specifically ST-34, " Load Swing at 100% Power;" ST-35, "Large Load Reduction at 100% Power;" ST-38, " Unit Trip from 100%;" and ST 39, " Loss of Offsite P o w e r."
The test plan, as set forth ir ST-43, was to:
Depress the SPDS function button from the Shift Technical Advisor (STA) workstation in the Control Room once every minute and time the response of the SPDS overview display, Depress the SPDS function button from the Emergency Operation Facility (EOF) workstation once every minute and time the response of the SPDS overview display, Manually trend CPU availability using the VISION terminal every minute.
These functions were performed for 15 minutes prior to the start of the coincident test and 45 minutes following, Additiona'.ly, other items were tracked as a general indication of MPCS reliability: a) the continuous 15 minute update of the Logger Trend function in the Technical Support Center (TSC), the Shift Superintendent office (SS) and the EOF; b) the printing of the Post-Mortem Report following any reactoi trip; c) the reporting by the MPCS of any sycem alarms or failures; and d) the number of alarms received during the 45 minutes following the stress event.
2
L i
l-The SPDS response was as followsi TEST MINUTES AFTER EVENT AVG SPDS RESPONSE ST-34,. Load Swing-
-5 minutes 2.76 seconds at-1002 Power 5 minutes 6.36 seconds 10 minutes 3.20 seconds 15 minutes
.3.12 seconds 1
ST-35, Large Load
-5 minutes 4.55 seconds
'l
.. Reduction 5 minutes 7.96 seconds at-1002 Power 10 minutes 6.88 seconds 15 minutes 4.29 seconds ST-38, Unit Trip
~5 minutes 2.86 seconds from.1002
-5 minutes 10.03 seconds 10 minutes 5.74 seconds 15 minutes 3.67 seconds ST-39 Loss of
-5 minutes 4.82 seconds Offsite 5 minutes
- see note below Power 10 minutes 3.26 seconds 15 minutes 4,10 seconis During the performance of ST 43 in coincidence with ST-39 a failover of the MPCS occurred due to the lack of CPU availability. (The MPCS includes two redundant.
- host" computers. One host normally performs all processing functions and is designated the prime
' host computer. The other host is designated the backup and ' monitors the prime host for.
indications' of normal operation. A 'failover" is an automatic ' action in which the backup host, sensing trouble with the prime host, takes over all MPCS monitoring functions; and the
- former prime host -is disabled to await repairs, in the failover process, up to five minutes may be required for the backup host to fully transition to 'the status of irime host.] The l
failover experienced during ST-43. resulted in loss of the MPCS as a whole for approxima cly 2.5- ~minutet and 'a loss of SPDs for about 3 minutes.
A -Root Cause Analysis determined that the time limit set in the failover software combinid.with the high alarm activity caused the host failover. Every 2 seconds the MPCS is designed to receive and process data from the-IRTUs. Because of the high alarm activity _
Lexperienced= during the loss of offsite power test, the host computer'was-unable ta receive 7
and process the data within-the 10 second limit set by the failover software.. This limit was
,h, inot in:the original MPCS design but was instituted by the developers of the failover software-l
~toidetect fai_ lures of the host-101S (Input / Output-Interface Subsystem). There were 617 alarms received during the first 20 seconds following the loss of offsite power test (ST-39),
while only 366 alarms were received during the 20 seconds immediately following the reactor -
p trip of ST 38, 3
<x...
-.. ~ -..-.-
i NOTE: It is important to note with regard to the above event that:
1)
The_ MPCS responded.as designed; it did not fail. The MPCS is designed to failover to the reliable backup host when a prime host component failure is detected. Additionally,~ when the Analog input System was initialized on the new host (within 3 minutes) the SPDS response time. averaged :10.7 seconds for the next 2 minutes, 5.26 seconds at 10 minutes, and 4.1 seconds at 15 minutes following the loss of offsite power test.
2)
Following a plant transient of this type, the control room operators are required to immediately enter Emergency Operatir,g Procedure (EOP) E 0,
" Reactor Trip and Safety Injection."
E U requires the operator to begin monitoring the critical safety functions at step 27 or when exiting E-0.
Additionally, the STA manually verifies the critical safety functions prior to responding to a computer determined status tree result.
Any instance of incorrect /unevaluated status trees would be noted and manually monitored until the trees were shown to be reliable via MPCS evaluation.
3)
During the performance of ST 39, the operating crew entered E 0, performed the first - four s eps, r.d then entered a modified ES -0.1,
" Reactor Trip Response,' (con'.ained in ST-39). The critical safety functions were monitored by the STA as required. Once the MPCS returned (within 3 minutes), the critical safety functions were verified to be reliable by comparison to the MPCS evaluation.
A System Problem Report was issued to investigate solutions to prevent failover during loss of.offsite power transients.
The solution was a system software enhancement implemented in April 1991. On June 27, 1991, the Station experienced a loss of incoming
-power which effectively simulated t loss of offsite power transient. During this event, the MPCS was monitored and verified to operate normally (i.e. it did not experience a failover, ilose alarms or other functions.) This event, therefore, confirmed that the system software enhancement had solved.the host failover problem.
In conclusion, although acceptable test results were achieved and the June 27th power loss event demonstrated. the effectiveness of the system software enhancement,- -NilY
- recognizes that the MPCS is heavily loaded.
As a result, N11Y - is currently - evaluating replacement of the MPCS.
it 4
lo
._