Forwards Comments on Open Items Associated w/AP600 Safety Parameter Display Sys(Spds)

ML20132E278
Person / Time
Site:	05200003
Issue date:	12/19/1996
From:	Huffman W NRC (Affiliation Not Assigned)
To:	Liparulo N WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
References
NUDOCS 9612230203
Download: ML20132E278 (14)
v • d • e

Text

. . i December 19, 1996 Mr. Nicholas J. Liparulo, Manager Nuclear Safety and Regulatory Analysis Nuclear and Advanced Technology Division Westinghouse Electric Corporation P.O. Box 355 Pittsburgh, Pennsylvania 15230 i

]

s

SUBJECT:

COMMENTS ON OPEN ITEMS ASSOCIATED WITH THE AP600 SAFETY PARAMETER  !

DISPLAY SYSTEM (SPDS)

Dear Mr. Liparulo:

The Nuclear Regulatory Commissien (NRC) staff has recently completed review of j Section 18.8.2 of the AP600 standard safety analysis report (Revision 9) i related to the SPDS (0 pen Item 18.8.2.3). The SPDS review is included as part of Element 7 of the Human Factors Engineering Program Review Model (HFEPRM). '

Staff open items on the SPDS were previously provided to Westinghouse in a l letter dated September 28, 1995. An update on the current status of the human factors review of the AP600 SPDS has been provided as an enclosure to this  :

letter.

If you have any questions regarding this matter, you can contact me at (301) 415-1141.

Sincerely, original signed I,y:

I William C. Huff; nan, Project Manager Standardization Project Directorate Division of Reactor Program Management Office of Nuclear Reactor Regulation j Docket No.52-003 I

Enclosure:

AP600 Open Item Resolution of SPDS Issues y cc w/ enclosure:

See next page hh

}fq l

f j DISTRIBUTION: ,

iDocket File PDST R/F TMartin l PUBLIC DMatthews TRQuay l TKenyon BHuffman JSebrosky i DJackson JMoore, 0-15 B18 WDean, 0-17 G21  ; l ACRS (11) BBoger, 0-9 E4 CThomas, 0-9 HIS JBongarra, 0-9 HIS DOCUMENT NAME: A:SPDSREV1.LTR Ta seceive a copy of this document,Indcate in the box: *C* = Copy without ettechment/ enclosure 'E' = Copy with attachment / enclosure *N* = No copy 0FFICE PM:PDST:DRPM m .

BC:HHFB:DRCH E D:PDST:DRPM l NAME WCHuffmhndatf M4 Thomas _W +-TRQuayP

• 12/ tcdT6 DATE 12/17 /96 12/6/96 9

~30044 96122302o3 96 21 eoa Aoacx 03200003 A PDR

. . l i

. 1 Mr. Nicholas J. Liparulo Docket No.52-003 _

Westinghouse Electric Corporation AP600 l

cc: Mr. B. A. McIntyre Mr. Ronald Simard, Director  !

Advanced Plant Safety & Licensing Advanced Reactor Programs Westinghouse Electric Corporation Nuclear Energy Institute Energy Systems Business Unit 1776 Eye Street, N.W.

P.O. Box 355 Suite 300 Pittsburgh, PA 15230 Washington, DC 20006-3706 Mr. John C. Butler Ms. Lynn Connor Advanced Plant Safety & Licensing Doc-Search Associates Westinghouse Electric Corporation Post Office Box 34 Energy Systems Business Unit Cabin John, MD 20818 Box 355 l

Pittsburgh, PA 15230 Mr. James E. Quinn, Projects Manager  ;

LMR and SBWR Programs I Mr. M. D. Beaumont GE Nuclear Energy Nuclear and Advanced Technology Division 175 Curtn : Avenue, M/C 165 Westinghouse Electric Corporation San Jose, CA 95125 1 One Montrose Metro 11921 Rockville Pike Mr. Robert H. Buchholz Suite 350 GE Nuclear Energy i Rockville, MD 20852 175 Curtner Avenue, MC-781 San Jose, CA 95125 Mr. Sterling Franks U.S. Department of Energy Barton Z. Cowan, Esq.

NE-50 Eckert Seamans Cherin & Mellott 19901 Germantown Road 600 Grant Street 42nd Floor Germantown, MD 20874 Pittsburgh, PA 15219 Mr. S. M. Modro Mr. Ed Rodwell, Manager Nuclear Systems Analysis Technologies PWR Design Certification Lockheed Idaho Technologies Company Electric Power Research Institute Post Office Box 1625 3412 Hillview Avenue Idaho Falls, ID 83415 Palo Alto, CA 94303 Mr. Frank A. Ross Mr. Charles Thompson, Nuclear Engineer U.S. Department of Energy, NE-42 AP600 Certification Office of LWR Safety and Technology NE-50 19901 Germantown Road 19901 Germantown Road Germantown, MD 20874 Germantown, MD 20874

Element 7 HSI Design SAFETY PARAMETER DISPLAY SYSTEM (SPDS)

To address Element 7 SPDS open items, Westinghouse submitted a response (June 7, 1995) to RAI 620.48. The open item contains several subcomponents.

As a result of the review of the Westinghouse response several open items were resolved. The results of the review were sent to Westinghouse in a letter dated September 28, 1995.

To address the remaining open items, Westinghouse submitted SSAR (Revision 9)

Section 18.8.2, Safety Parameter Display System.

The following is an overview of the status of the results of the review.

Open Item (OITS f. DSER #1 Current Status 1362 18.8.2.3-1: SPDS Implementation Details Action W This open item is based on nine individual SPDS criteria. The open item will be resolved when all nine individual criteria are resolved. The current status of each is:

1. General SPDS Requirements Resolved

2. Rapid and concise display of safety parameters Action W

3. Convenient display of safety parameters Resolved

4. Continuous Resolved

5. High reliability Action W*

6. Isolation Action W* l

7. Human factors engineering Resolved

8. Minimum information Action W

9. Procedures and Training Resolved

• Requires final review and approval by NRC I&C Branch 1

Enclosure l l

l l

i i

i Doen Item 18.8.2.3-1: SPOS Imolementation Details

1. General SPDS Reauirements Crfterton: The top-level requirements for SPDS are contained in 10 CFR 50.34 (f)(2)(iv). The detailed NRC criteria which follow were derived from NUREG-0737, Supplement 1.

DSER Evaluatfon: In SSAR Section 18.9.2.2.6, Westinghouse states that "the alarm system meets the requirements of the safety parameter display system (SPDS)." In the response to RAI 620.48 (Revision 0), Westinghouse states that in the AP600 control room, alarms will be better organized, have cause-effect relationships more clearly presented, and be fewer in number than is typical in current control rooms. Westinghouse concludes that this presentation, in combination with the analog information regarding plant processes provided by other control board CRT displays, satisfies the intent of the SPDS requirement.

In SSAR Section 1.9.3, item (2)(iv), Westinghouse states that alarms are grouped "by plant process or purpose, as directly related to the critical l safety functions" and that the requirement for analog display of plant i parameters is met by similarly grouped information available on graphic CRT displays. l The staff sekaowledges that the implementation of SPDS in a new advanced plant will and should be different than that which was backfit into existing NPPs.

An implementation as preposed by Westinghouse may satisfy the SPDS requirements. However, the high-level concepts and criteria still should be addressed in such a new implementation. Given the current state of the MCR HSI design,1t is not possible to determine whether the SPDS will meet the requiremeats. Thus the SPDS implementation is considered an open item.

Proposed Resolutfon: 10 CFR 50.34 (f)(2)(iv) indicates that the design should provide a plant safety parameter display console that will display to operators a minimum set of parameters defining the safety status of the plant, capable of displaying a full range of important parameters and data trends on demand, and capable of indicating when process limits are being approached or exceeded. These requirements are addressed below.

(a) A plant safety parameter display console will be provided that will display to operators a minimum set of parameters defining the safety status of the plant.

In RAI 620.48, Revision 2, Westinghouse addresses the SPDS concerns and criteria via an integrated design rather than a stand-alone, add-on system, as is used at most current operating plants. The regulatory requirements will be net by integrating the SPDS requirements into the design requirements for the alarm and display systems. In NUREG-0800, the staff indicated that, for applicants who are in the early stages of the control room design, the

" function of a separate SPDS may be integrated into the overall control room design" (p. 18.0-1). Thus, this general approach is acceptable to the staff and an exemption from the requirement for an SPDS console is appropriate for the AP600 design.

However, for the implementation of an integrated SPDS to be acceptable, it must meet the detailed SPDS requirements reflected in this item.

(b) The SPDS will be capable of displaying a full range of important parameters and data trends on demand.

The minimum set of parameters defining safety status is reviewed in Criterion 8. With respect to other "important parameters," the Westinghouse's integrated M-MIS design provides parameter display to operators via the wall panel information display and the workstation displays. A complete specification of the individual parameters to be displayed will be developed as the MCR design and its supporting analyses, such as FBTA and HRA, continue.

In response to RAI 620.48 (Revision 2), Westinghouse indicated that ESF actuation signals (reactor trip, safety injection, containment isolation) are signals that are available for display. In SSAR Section 18.9.5.1, Westing-house indicates that the plant parameters needed to satisfy Reg Guide 1.97 are identified'in an analysis of operator monitoring of the RCS, secondary heat removal system, the containment and the system used for attaining safe shutdown conditions. SSAR Chapter 7 identifies parameters for the monitoring of CSFs and PAM.

The ability of operators to call up data trends on demand is implied in Section 18.9.5.

(c) The SPDS will be capable of indicating when process limits are being approached or exceeded.

This SPDS function will be satisfied by the AP600 alarm management system.

Another set of top level requirements for the SPDS is contained in NUREG-0737-Supplement No.1, 3.8.a, Items (1), (2), and (3). These are expressed'in terms of one acceptable way of implementation with other proposals to be reviewed as necessary.

Item (1) states that the licensee / applicant should review the functions of the nuclear power plant operating staff that are necessary to recognize and cope with rare events that (a) pose significant contributions to risk, (b) could cause operators to make cognitive errors in diagnosing them, and (c) are not included in routine operator training programs.

Item (2) states that the licensee / applicant should combine the results of this (1) review with accepted human factors principles to select parameters, data display, and functions to be incorporated into the SPDS.

Item (3) states they should then design, build, and install the SPDS in the control room and train its users.

Westinghouse's selection of rare events that present significant contributions to risk for use in control room (and hence SPDS) design was discussed in their June 30, 1995 response to DSER open items 18.5.3-1 and -2. Following con-siderable discussion between the staff and Westinghouse on the risk criteria for selecting those activities to design the control room (and hence the SPDS), an approach that was acceptable to the staff was developed concerning risk-significant actions. Thus, Item (1) of Criterion I related to SPDS was acceptably addressed.

Westinghouse committed to design, build and install the SPDS/ control room in accordance with accepted human factort principles as discussed throughout the entire-SSAR (Revision 9) Section 18. This commitment addressed Item 2.

The training of users was discussed by Westinghouse in their response to the training review. However, training has been defined as a COL ites (see SSAR-(Revision 9) Section 18.10, Training Program Development. Thus the SPDS training issue will not be addressed as part of the design certification review.

Based on this information, the open item is resolved and the criterion is satisfied.

STATUS OF THE CRITERION: Resolved

2. Rapid and concise display of safety otrameters Criterion: The SPDS should provide a rapid and concise display of critical  !

plant variables to control room operators.  !

DSER Evaluation: The rapidity with which SPDS related alarms and displays  !

will be presented is not explicitly discussed. In SSAR Section 18.9.2.4.9, Westinghouse describes the processing time, update rate, and display access time requirements for the alarm system as a whole. The maximum processing ,

time permitted from data input to alare display is given as 2-3 seconds. The l refresh rate for the display of a process variable is no less frequently than

.once every two seconds. The time permitted for the system to create and show a requested display (or to acknowledge the request for a complex display) is two seconds.

DSER Evaluation of the conciseness of the presentation of SPDS-related i information depends on implementation details not available at this time.

Proposed Resolution: The basis for the requirement for a concise display stems from the lack of centralized display capability in the TMI-2 control room. TMI-2 control room personnel could not easily develop an overview of '

. . 1

> - l j

plant conditions, which contributed to the severity of the accident. In their response to RAI 620.48 (Revision 2) checklist Items 3.1, 3.2 and 3.3, Westing-house stated that backfit applications of the AWARE alarm management system i are organized around the concept of plant process functions, which include the five safety functions defined by the NRC for the SPDS. The layout of these functions ensures that they are always visible. For the AP600, a similar i design will be used for the Wall Panel Information System. Further, the  !

Westinghouse computerized Emergency Operating Procedure (EOP) System (COMPRO) provides a continuous display of the overall state of each of the five safety i functions and the AP600 computerized procedures for the E0Ps will have the j same feature. Westinghouse has also committed to group the individual '

parameters that support the safety functions by those safety functions in both the AP600 alarm system and the Plant Information System displays. Westing-house stated that the status of all five safety functions will always be i displayed via the alarm system overviews that will be displayed to the operators through the Wall Panel Information System. Thus a concise display will be available which acceptably addresses this aspect of the SPDS criterion.

Regarding the criterion of a rapid display, judgement of a rapid display is dependent on sample rate, update rate, system response times, and a display format that is easy-to-understand and rapidly comprehended.

Westinghouse, in item 5 of the checklist response to RAI 620.48 (Revision 2),

stated that while the full control room (and SPDS) is not yet fully designed, the design goal for the graphical display response time is 2 sec; the design goal for AP600 M-MIS is to update the displays every 1 to 2 sec; the process data sampling is 1 sec or less; and sequence of events points can be sampled at a rate of once every millisecond and are available as appropriate within the AP600 M-MIS. Westinghouse also committed to develop appropriate human-factored display formats. These commitn.ents met the criterion with the exception of response time, as explained below.

The acceptability of a display response time of two seconds for operator support during transient operations may be problematic for operators. The staff recognizes that this value is within the response time originally developed for SPDS. However, such SPDS consoles were supplemental to the available indications and controls. It is also recognized that a 2 second response time is within the time range recommended by most current HFE guidelines. However, this value is based on general literature and,  !

therefore, may not be fully adequate for emergency operations in a process j control environment such as a nuclear power plant. Delays have the potential  ;

to create frustration in operators who are used to having information j instantly available through continuously displayed analog instruments. The staff, therefore, recommended that Westinghouse commit to verify the accep-tability of the two second criterion and if found unacceptable to determine the appropriate display response time. j 1

In SSAR (Revision 9), Section 18.8.2.2, Display of Safety Parameters, Westing-house indicated that the acceptability of the display response time of 1

j

. l i

2 seconds would be evaluated during man-in-the-loop concept testing. If found unacceptable, a revised time would be determined. Further, Westinghouse included this design issue in the HFE issue tracking system. This approach is acceptable to the staff. However, WCAP-14396, Revision 1, Man-in-the-Loop l Test Plan, does not include this issue as one to be tested. Westinghouse  ;

should clarify where this issue will be addressed, l l

STATUS OF THE CRITERION: Action W l l

3. Convenient display of safety carameters Criterion: The location of the SPDS should be convenient to control room operators.

DSER Evaluation: In SSAR Section 1.9.3, item (2)(iv), Westinghouse states that

" displays are available at the operator workstations, the supervisor workstation, the remote shutdown workstation, and the technical support center." '

Proposed Resolution: To meet this criterion, the SPDS should be convenient to all operators / users of the SPDS. In Westinghouse's response to RAI 620.48 I

(Revision 2) in section 5 of the checklist, they indicated that the SPDS would utilize the main control alarm system and display system in order to fully integrate the SPDS into the AP600 M-MIS. All process displays and controls l (including the SPDS) will be available at each of the two redundant operator workstations. The control room supervisor has another console that contains all of the same displays. The STA also has a console with all displays.

Finally, the Wall Panel Information System is a parallel display device that also contains the SPDS information and is available and viewable by all in the control room.

This information was acceptably incorporated into SSAR (Revision 9) Sec-tion 18.8.2.2, Display of Safety Parameters. Thus, the status of critical safety functions is conveniently located where it can be monitored from anywhere in the control room and is continuously displayed by the overview

larms presented on the wall panel information system and, in addition, in the computerized emergency operating procedures system when in use.

This information resolves the open item and satisfies the criterion.

STATUS OF THE CRITERION: Resolved

4. Continuous display of safety carameters Criterion: The SPDS should continuously display plant safety status infor-mation.

i

. . l

. l DSER Evaluatfon: In the response to RAI 620.50 Westinghouse states that "the AP600 control room design concept is that few or no displays will be fixed or continuously displayed." The response notes that the advantages of spatial dedication are employed in the alarm overview displays and the wall panel information system, but notes that the displays have operator-selectable elements and are dynamic (i.e., change with plarA state).

Proposed Resolution: Westinghouse's response to RAI 620.48 (Revision 2) indicates that the status of all five safety functions is always displayed via the alarm management system. The alarm system is organized on the dark board concept for all plant modes. Thus, no alarms indicates that the status of all safety functions is acceptable. The alarm system also will have failure indicators to ensure the operability of the alarm system itself. Further, the response in checklist Item 3.1 states that the AP600 computerized procedures for E0Ps will provide a continuous display of the overall state of each of the safety functions as part of the E0P requirement to monitor the status of the Critical Safety Function Status Trees.

This information was acceptably incorporated into SSAR (Revision 9) Sec-tion 18.8.2.2, Display of Safety Parameters. Thus, the status of critical safety functions is conveniently located where it can be monitored from anywhere in the control room and is continuously displayed by the overview alarms presented on the wall panel information system and, in addition, in the computerized emergency operating procedures system when in use.

This information resolves the open item and satisfies the criterion.

STATUS OF THE CRITERION: Resolved

5. Hiah reliability  !

Criterion: The SPDS should have a high degree of reliability. )

DSER Evaluation: A response to this criterion was not received by the staff I in time to be evaluated for inclusion in the DSER. '

Proposed Resolution: The SPDS is to be incorporated into the AP600 control room, however the control room is not yet designed. Westinghouse's response to RAI 620.48 (Revision 2), checklist item 4 indicates that availability and j

reliability criteria will be included in the design process as is standard for Westinghouse I & C systems. The Westinghouse response to this criterion (i.e., a commitment by Westinghouse to provide a description of how a high degree of reliability will be achieved for all I&C systems including the SPDS) j has been determined acceptable by the Instrumentation and Control Branch. '

Based on this information, this DSER issue is considered resolved.

1

! This criterion will be satisfied when the commitment to provide the SPDS function with a high degree of reliability is made in an appropriate ITAAC and the SSAR is revised to include a description, acceptable to the Instrumen -

l tation and Control Branch, of the process Westinghouse will use to provide the j high degree of reliability for the SPDS function.

i STATUS OF THE CRITERION: Action W i

6. Isolation

Criterion: The SPDS should be suitably isolated from electrical or electronic

{ interference with safety systems.

l DSER Evaluation: A response to this criterion was not received by the staff

in time to be evaluated for inclusion in the DSER.

t i Proposed Resolutfon: Westinghouse's response to RAI 620.48 (Revision 2),

i checkli:;t Item 7 states that a discussion of the electrical isolation for the

! control room is in SSAR Chapter 7. The Westinghouse response to this

criterion (i.e., that data links are fiber-optic isolated, transmit only, to i the monitor bus) has been reviewed by the Instrumentation and Control Branch

- and determined to acceptably address suitable isolation of the SPDS.

i' Based on this information, this DSER issue is considered resolved.

This criterion will be satisfied when the commitment to provide a suitably isolated SPDS function is made in an appropriate ITAAC.

STATUS OF THE CRITERION: Action W

7. Human factors enaineerina Crfterion: The SPDS should be designed incorporating accepted human factors principles.

DSER Evaluation: While the human factors engineering of the alarm system and graphic displays that serve the SPDS function, as described in SSAR Sec-tion 18.8 and 18.9, is addressed as part of the overall control room human factors engineering design process review, specific commitment to SPDS HFE as per NRC requirements is needed.

Proposed Resolution: Westinghouse's response to RAI 620.48 (Revision 2) states that the SPDS will be incorporated in the control room alarm and display systems. In accordance with the PRM element on HSI design (evaluated herein), it is considered that the HSI design is acceptable at the program plan level. _ The detailed implementation of SPDS displays, controls, and interface management (e.g., navigation) characteristics will not be complete

l I

f.

t i until after design certification. This information was acceptably i

! incorporated into SSAR (Revision 9) Section 18.8.2.5, Human Factors Engineer-l ing. Based on this information, the open item is resolved and the criterion

] is satisfied.

l STATUS OF THE CRITERION: Resolved i

8. Minimum information i

i Criterion: The SPDS should display sufficient information to determine plant i safety status with respect to safety functions (as shown in Table 2 of

NUREG-1342). The safety functions and parameters of Table 2 were developed for t

conventional PWRs. They will still generally be applicable for. the AP600, but i

will need to be revised slightly to address the AP600, passive plant differen-i ces.

! DSER Evaluation: DSER Evaluation .of this level of detail is premature, hence j this criterion will remain open and is part of Open Item 18.8.2.3-1 above.

Proposed Resolutfon: In discussing the minimum parameters for display,  !

' NUREG-1342 states that the minimum information to be provided shall be l sufficient to provide information about the following five safety functions: )

i reactivity control, reactor core cooling and heat removal from the primary i system, RCS integrity, radioactivity control, and containment conditions. The

! specific parameters to be displayed are to be determined by licensees and i l applicants. Sample acceptable parameters for BWRs and PWRs are contained in  !

Tables 2 and 3 of NUREG-1342. '

i

In Westinghouse's response to RAI 620.48 (Revision 2) checklist Item 2.1,- they indicated that presentation of process data through the abnormality (alarm)

messages on the Wall Panel Information System and through the VDU graphical displays is organized around these five safety functions. However, Westing-house took exception to the reactor core cooling and heat removal function.

, Specifically, Westinghouse indicated that the function would be defined at the ,

! level of individual parameters such as RCS temperature, RCS water mass  !

! inventory, RCS pressure, RCS circulation, steam generator water level, RHR i' flow, and. RHR heat exchanger delta-temperature. Westinghouse stated that integrating these parameters into a' single function would increase operator workload because if a problem occurred, then the operator must mentally i determine which of the sensed variables (parameters) must be addressed. 1 i Further, Westinghouse indicated that the AP600 M-MIS will support the operator i activity of situation assessment at the same level of abstraction as the ,

j control devices with which operators must use to take corrective actions.

{ In the staff's opinion, decomposing the reactor core cooling and heat removal

! function into several parameters would potentially detract from the operator's 3 ability to monitor that CSF i.e., rapid determination that the status of each l CSF is acceptable. Westinghouse's proposed approach appeared to create i

l

. additional workload associated with the operator having to check each in-dividual parameter status to determine that the function is satisfactory.

This was one of the problems that led to the staff's requirement for an SPDS.

Presenting both levels of display (function and individual parameter) however, is an approach consistent with a levels of abstraction view. When a problem occurs, operators will not have to " mentally determine which of the sensed variables must be addressed," with the more detailed information being presented (e.g., automatically) and will also be able to monitor the status of the CSF. The Westinghouse approach seemed to imply that information should only be presented at one level of abstractian, i.e., the level at which the operator controls the process. However, the design philosophy generally seems to be that various levels of abstraction are desirable because, depending on the task, different levels are necessary. The task of monitoring CSFs is sup-ported by a display at a higher level. As an example for the function in question (reactor core cooling and heat removal from the primary system),

potential function level displays could be subcooling margin, heat transfer rate from the reactor, and heat transfer rate from the primary to the secon-dary.

In Westinghouse's response to RAI 620.48 (Revision 2) checklist Item 2.2, they indicated that the variables depicting each of the five safety functions are in SSAR (Revision 8) Section 7.5.3.2, Table 7.5-b (Type B Variables and parameters). Individual parameters for the safety functions identified as acceptable by the staff for PWRs are listed in Table 2 of NUREG-1342 and were used as the starting point for the staff's review.

(i) For reactivity c% trol, the SPDS should display power range, intermedi-ate range and source range reactor power. SSAR (Revision 8)

Table 7.5-5 indicated that for AP600 this function will include neutron flux, control rod position, and boric acid concentration. Various ranges of neutron flux are not described.

(ii) For reactor core cooling and heat removal, the SPDS should monitor RCS level, subcooling margin, temperatures (Th, Tc, core exit), steam generator (SG) pressure, and RHR flow. SSAR (Revision 8) Table 7.5-5 contained all of these except RCS level, subcooling margin, and steam generator pressure.

(iii) For RCS integrity, the SPDS should monitor RCS pressure, Tc, contain-ment sump level, and for the steam generator (SG) - pressure, level, and blowdown radiation. SSAR (Revision 8) Table 7.5-5 indicates that i this function will include RCS pressure, WR Th, WR Tc. Sump levels  !

(except perhaps as containment water level) and SG parameters were not  !

addressed.  !

l (iv) For radioactivity control, the SPDS should monitor effluent stack i monitors, steamline radiation, and containment radiation. Of these,  !

only containment area high range radiation were included in SSAR Table  !'

(Revision 8) 7.5-5.

i l

l l

l

l i l 4

1

!. l i  !

4 l

e i (v) For containment conditions, the SPDS-should monitor containment pres-

. sure, containment isolation status, and hydrogen concentration. SSAR j Table (Revision 8) 7.5-5 indicates that this function will include ,

i containment pressure, containment area high range radiation, contain-  ;

j ment water level, and hydrogen concentration. Containment isolation l j status did not appear to be addressed. 1 1

In a letter dated September 28, 1995 from NRC to Westinghouse, the staff  !

requested further explanation as to why Westinghouse's proposed approach to monitoring the core cooling and heat removal function would not result in an increase operator workload and an explanation as to why for the parameters I noted above were not identified. This information is generally addressed in i SSAR (Revision 9) Sections 18.8.2.2, Display of Safety Parameters, and i

-18.8.2.6, Minimum Information. In Section 18.8.2.2, the five critical safety l functions are listed but no reference is made to the parameters used. In l Section 18.8.2.6, individual parameters are addressed only through a reference  !

to Table 2 of NUREG-1342 which, as noted above, provides acceptable parameters for monitoring safety functions. Note: The SSAR points to " reference 31" .

which is the designers input to procedures, WCAP-14690. This must be an  !

error. The proper reference is 32 which is the NUREGn. However, these are '

noted as a starting point and not the actual parameters. The staff considers ,

Westinghouse's description presented in Revision 9 of the SSAR to reflect a

• movement away from the approach to SPDS which gave rise to the concerns identified. The current approach places SPDS design clearly within the HFE ',

plan, defers detailed design to be a post certification activity, and includes minimum information for safety monitoring as an HFE issue tracking system item. The staff agrees in principle with this decision because Element 7 is I being reviewed at an implementation plan level only. ,

The SSAR indicates that, using the NUREG information as a start, the AP600 HSI '

design process will define the integration of safety function monitoring into l AP600 displays. Westinghouse has identified the issue of what constitutes the l minimum information as an HFE issue to be tracked in the tracking system.  !

While this may be a reasonable approach, the SSAR does not provide sufficient  ;

information to resolve the open item. Specifically the staff's detailed  !

ccncerns regarding the provision of the overall status for all safety l functions at the functional level and the identification of specific parameters were not addressed. Since no description of the issue tracking system was provided, it is unclear whether Westinghouse intended to address the staff's concerns. Westinghouse should address these issues and commit in the SSAR to provide, as part of the HSI design process, a justification for  !

each parameter from Table 2 of NUREG-1342 that is not included as part of safety status monitoring. ,

STATUS 0F THE CRITERION: Action W

O . .

4

, l

9. Procedures and Trainina  ;

Criterion: Procedures and operator training, addressing actions with and without SPDS, should be implemented.

DSER Evaluatfon: Since SPDS is not treated as a separate entity in the SSAR, procedures addressing actions related to SPDS are not discussed. Due to the integrated nature of the proposed SPDS implementation for AP600 the common i approach could be acceptable., '

Proposed Resolutfon: Concerning the relationship between procedures and SPDS, Westinghouse's response to RAI 620.48 (Revision 2) indicated that all parame-ter units, labels and abbreviations on SPDS are consistent with the units of  !

measure included in the E0Ps. Since detailed displays and E0Ps have not been developed yet, this should be a commitment to verify. Provisions for operations with and without critical safety function monitoring should be j included in the commitment. '

With regard to training, Westinghouse's response to RAI 620.48 (Revision 2) indicated that simulator training includes the use of SPDS. However, no specific commitment in the SSAR was identified. Westinghouse indicated that detailed training program development and procedure development will be COL responsibilities.  :

SSAR (Revision 9) addressed procedures and training in Section 18.8.2.7, Procedures and Training. This section indicates that procedures and training are the responsibility of the Combined License applicant. Thus review of this SPDS criterion is a post design certification activity.

STATUS OF THE CRITERION: Resolved l