ML20135D505
| ML20135D505 | |
| Person / Time | |
|---|---|
| Site: | Catawba  |
| Issue date: | 09/10/1985 |
| From: | Adensam E Office of Nuclear Reactor Regulation |
| To: | Tuccker H DUKE POWER CO. |
| References | |
| NUDOCS 8509160081 | |
| Download: ML20135D505 (13) | |
Text
,.
I, September 10, 1985 Docket No. 50-414 DISTRIBUTION:
Docket F1le.
NRC PDR local POR Mr. H. B. Tucker, Vice President PRC System Nuclear Production Department NSIC Duke Power Company LB #4 r/f' 422 South Church Street JPartlow Charlotte, North Carolina 28242 MDuncan BGrimes KJabbour EJordan
Dear Mr. Tucker:
0El.D. Attorney Glapinsky -
ACRS (16)
WRegan
Subject:
Catawba Nuclear Station, Unit 2 - Transmittal of the Safety l
Parameter Display System (SPDS) Audit Results On May 14 and 15, 1985, the NRC staff and its consultants conducted an audit of the Catawba Unit 2 SPDS. The enclosed audit report identifies, for certain areas, the additional information required by the staff to complete its review of these areas. However, as stated in the report, the staff's review of two areas (i.e., Procedures and Systems, and Instrumentation and Control Systems) has not been completed. We expect to complete our review of these areas and to transmit to you our coments in the early part of October 1985.
Please provide the additional infonnation requested in the enclosed report within 60 days of receipt of this letter.
Should you have any questions regarding this matter, please contact the Project Manager, Kahtan Jabbour, at 301-492-9789.
The reporting and/or recordkeeping requirements contained in this letter affect fewer than ten respondents; therefore, OMB clearance is not required under P.L.96-511.
1 Sincerely, o
Elinor G. Adensam, Chief
. licensing Branch No. 4 Division of licensing i
Enclosure:
e As stated h
cc: See next page gn 0111 Gill 0 s
DES 10E 8509160081 850910 I
fDR ADOCK O 4
igica W-DL:LB #4 LAQL B #4 DL:lB #4
/
3 KJabbour/ah MDQncan EAdensam 9//0/85 9/g/85 9/p /85
};
Mr. H. B. Tucker Duke Power Company Catawba Nuclear Station cc:
William L. Porter, Esq.
North Carolina Electric Membership Duke Power Company Corp.
P.O. Box 33189 3333 North Boulevard Charlotte, North Carolina 28242 P.O. Box 27306 Raleigh, North Carolina 27611 J. Michael McGarry, III, Esq.
Bishop, Liberman, Cook, Purcell Saluda River Electric Cooperative, and Reynolds Inc.
1200 Seventeenth Street, N.W.
P.O. Box 929 Washington, D. C.
20036 Laurens, South Carolina 29360 North Carolina MPA-1 Senior Resident Inspector Suite 600 Route 2, Box 179N 3100 Smoketree Ct.
York, South Carolina 29745 P.O. Box 29513 Raleigh, North Carolina 27626-0513 Regional Administrator, Region II i
U.S. Nuclear Regulatory Commission, Mr. C. D. Markham 101 Marietta Street, NW, Suite 2900 Power Systens Division Atlanta, Georgia 30323 Westinghouse Electric Corp.
P.O. Box 355 Pittsburgh, Pennsylvania 15230 Robert Guild, Esq.
P.O. Box 12097 NUS Corporation Charleston, South Carolina 29412 2536 Countryside Boulevard Clearwater, Florida 33515 Palmetto Alliance 2135 i Devine Street Mr. Jesse L. Riley, President Columbia, South Carolina 29205 Carolina Environmental Study Group 854 Henley Place Karen E. Long Charlotte, North Carolina 28208 Assistant Attorney General N.C. Department of Justice Richard P. Wilson, Esq.
P.O. Box 629 Assistant Attorney General Raleigh, North Carolina 27602 S.C. Attorney General's Office P.O. Box 11549 Soence Perry, Esquire Columbia, South Carolina 29211 Associate General Counsel Federal Emergency Management Agency Piedmont Municipal Power Agency Room 840 100 Memorial Drive 500 C Street Greer, South Carolina 29651 Washington, D. C.
20472 Mark S. Calvert, Esq.
Mr. Michael Hirsch Bishop, Liberman, Cook, Federal Emergency Management Agency Purcell & Reynolds Office of the General Counsel 1200 17th Street, N.W.
Room 840 Washington, D. C.
20036 500 C Street, S.W.
Washington, D. C.
20472 Brian P. Cassidy, Regional Counsel Federal Emergency Management Agency, Region I J. W. McCormach POCH Boston, Massachusetts 02109 l
i
ENCLOSURE SAFETY PARAMETER DISPLAY SYSTEM AUDIT RESULTS FOR CATAWBA UNIT 2, DOCKET NO. 50-414
1.0 INTRODUCTION
On May 14 and 15, 1985, the staff and its consultants (Science Applications International Corporation and Comex) conducted an audit of the Catawba 2 Safety Parameter Display System (SPDS). The purpose of the audit was to clarify details of the Verification and Validation (V&V) program, confirm that the V&V program is being appropriately implemented, audit the results of the V&V program, and to review the installed SPDS. The agenda that was followed during the audit is included as Attachment I and a list of attendees as Attachment 2.
2.0 BACKGROUND
The principal purpose and function of the Safety Parameter Display System (SPDS) is to aid control room personnel during abnormal and emergency conditions in determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective action by operators to avoid a degraded core. During emergencies the SPDS serves as an aid to evaluating the current safety status of the plant, executing function-oriented emergency _ procedures, and monitoring the impact of engineered safeguards or mitigation activities. The SPDS also operates during normal operations, continuously displaying information from which the plant safety status can be.readily and reliably assessed.
. Requirements regarding the SPDS are defined in Supplement I to NUREG-0737. The staff's acceptance criteria and review guidance are contained in NUREG-0800, Section 18.2.
The scope of the staff's review is limited to the principal function of the SPDS. The review is bounded by the minimum set.of plant variables, and whatever hardware, software processing algorithms and training are needed to achieve the principal SPDS functions. Secondary functions, such as presentation of data to assist operators with diagnosis of abnormal conditions, are not part of the scope of the SPDS review.
3.0 SYSTEM DESCRIPTION The Catawba SPDS is a software application programmed on an already existing computer system (Honeywell 4400) called the Operator Aid Computer (0AC).
The SPDS design consists of a display containing six critical safety function (CSF) boxes that use color and pattern coding to convey the status of the function. The functions monitored are:
- 1) subtriticality,
- 2) core cooling, 3) heat sink, 4) integrity, 5) containment, and 6) inventory. Secondary displays provide further information in the form
. of six status trees, one for each CSF. The status tree displays are based on the Westinghouse Owners' Group (WOG) Emergency Response Guidelines (ERGS). The status trees are formatted with ERG entry conditions on the left, proceeding through various decision nodes, and ending in emergency procedure identification numbers or a "CSF SAT" endpoint. The CSF boxes are continuously displayed at the bottom of all SPDS displays, but not on other displays in the OAC system. However, the CSF blocks are permanently displayed on a dedicated " alarm video" in the control room.
4.0 DISCUSSION The audit results which follow are organized by general subject area.
The branches with primary review responsibility for each subject area are identified parenthetically.
4.1 Parameter Selection (Procedures and Systems Review Branch)
A representative of the Procedures and Systems Review Branch (PSRB) was not present at the audit and, therefore, the adequacy of the applicant's parameter selection process was not specifically discussed. The applicant has submitted a safety analysis (Ref. 1) and additional infomation (Ref. 2) describing the basis for its parameter selection.
The staff's review of the applicant's submittals is not yet complete.
Infomation Needed No further information is needed at the present time regarding parameter selection.
4.2 Reliability (Instrumentation and Control System Branch)
The Instrumentation and Control System Branch (ICSB) was not represented at the audit. The audit team did gather some information about the reliability / availability of the Catawba SPDS and has forwarded the information to ICSB for its review.
Information Needed j
No further information is needed at the present time regarding system i
reliability.
4.3 Electrical and Electronic Isolation (ICSB) t At the time of the audit, the applicant provided the staff with some information regarding the isolation devices used in the Catawba SPDS.
The information is conceptual in nature and does not appear to answer the specific questions of the staff regarding the isolation devices.
However, it has been forwarded to ICSB for use in reviewing electrical and electronic isolation.
. Information Needed a.
For the E-MAX device used to accomplish electrical isolation, describe the specific testing performed to demonstrate that the device is acceptable for this application. This description should include elementary diagrams when necessary to indicate the test configuration and how the maximum credible faults were applied to the device, b.
Data to verify that the maximum credible faults applied during the test were the maximum voltage / current to which the device could be exposed, and define how the maximum voltage / current was determined.
c.
Data to verify that the maximum credible fault was applied to the output of the device in the transverse mode (between signal and return) and otner faults were considered (i.e., open and short circuits).
d.
Define the pass / fail acceptance criteria for this device.
e.
Provide a commitnent that the isolation devices comply with the environmental qualifications (10CFR 50.49) and with the seismic qualifications which were the basis for plant licensing.
f.
Provide a description of the measures taken to protect the safety systems from electrical interference (i.e., Electrostatic Coupling, EMI, Common Mode and Crosstalk) that may be generated by the SPDS.
4.4 Displav Data Validation (Human Factors Engineering Branch)
The method of data validation currently used in the Catawba SPDS is range / status checking supplemented by redundant sensor logic if more than one sensor is available.
1 Each computer analog input is continuously monitored for over and under range conditions, scan lockout, and out of service status. Digital input power fuses are also monitored. -When an input involving a function becomes invalid (blown fuse, over/under range, out of service, etc.) but the CSF status can still be determined from the remaining inputs, an alarm indicating an invalid input for the particular function affected is displayed.
If the invalid input affects the determination of the status, the affected CSF block changes to magenta indicating an indeterminate condition and remains in this state until the invalio input can be corrected or until the input is locked out to a known valid value or status.
The staff finds this method to be acceptable as an interim measure based on the fact that Duke Power-is involved in an Electric Power Research Institute (EPRI) project investigating signal validation techniques and i
i
. is committed to using the results of that progran (EPRI Project RP-2292-1,
" Validation and Integration of PWR Signals") to improve the current data validation methodology.
Information Needed A description of the improvements to the current data validation methodology should be submitted to the staff when the applicant has finalized the data validation methodology, i.e. incorporated appropriate techniques from the EPRI study. This information should be submitted no later that August 1, 1986.
4.5 Human Factors (Human Factors Engineering Branch)
The applicant has attempted to incorporate good human engineering principles into the Catawba SPDS design at several points in the design process.
Initially, when the design was conceptualized in early 1982, the design basis was reviewr.d by David Cain, an EPRI staff member with experience in SPDS design. Since the design is based on the status trees of the Westinghouse iRGs, it'also benefitted from the Westinghouse human factors input, albeit indirectly.
However, the bulk of the human factors input was derived from coordination with the Duke Power Company (DPC) efforts on the Detailed Control Room Design Reviev (DCRDR). During the SPDS development the control room review team conducted a task analysis using a mockup and color slides of proposed SPDS displays. The analysis examined the order and format of displays, their useability, and ability to support operator tasks as defined in the Westinghouse ERGS. After implementation
- the control room review team surveyed the computer displays including SPDS using a check-list that was derived from NUREG-0700. Areas of review included color usage, glare, labels, keyboard arrangement, and other human factors issues.
In addition, operator coments were solicited as part of the Operating Experience Review phase of the DCRDR.
The staff identified no significant deviations'from good human engineering practice in the SPDS displays or interface devices. However, the staff did note that other non-SPDS displays do not appear to be consistent with the SPDS displays in terms of color-coding.
In addition, these non-SPDS displays appear to deviate from good human engineering practice, i.e. they use non-standard color coding - green is used as the color for component labels (Seal Water Hx), pump "off", and valve
" closed"; yellow is used for " normal" dynamic data on one display (Chemical and Volume Control) and used for alarm data on another display (Radiological Monitoring). These deviations raise some question about the efficacy of the checklist survey of the Operator Aids Computer done by the control room review team.
Development of the Catawba SPDS was actually done on the McGuire plant -
the _ Catawba and McGuire SPDSs are conceptually and programmatically _
identical, i
. In summary, it appears that the applicant has attempted to incorporate good human engineering principles into the Catawba SPDS design. The staff identified no significant deficiencies in its audit of the SPDS displays, but is concerned that the human factors checklist survey that was done on the computer displays (including SPDS) may not have been effective.
Information Needed In order to confirm that the human factors review of the computer system was comprehensive and effective, the staff requests that Duke Power Company submit a summary of the human engineering discrepancies (HEDs) identified in its review of the Operator Aids Computer. This summary should include a short description of the HED, how it was resolved, and why it was resolved as it was.
4.6 Verification and Validation (HFEB, ICSB, PSRB)
The Verification and Validation (V&V) program appears to be comprehensive and well-documented.
The program is modelled after the V&V process described in NSAC 39, " Verification and Validation of Safety Parameter Display Systen." Some portions of the V&V program were done by independent organizations, e.g., the design basis was reviewed by EPRI, the conceptual logic was developed by the Westinghouse Owners' Group and reviewed by Duke Power, Nuclear Production.
For the most part however, the V&V was done by independent departments within Duke Power Company. Attachment 3 summarizes the major activities and the responsible reviewers.
It appears that an appropriate degree of independence from the design team was maintained, and that the intent of an independent V&V program - avoidance of common-mode errors - is being adequately addressed.
The V&V program is not yet complete. A dynamic validation of the integrated system is planned, but cannot be completed until the Catawba simulator is installed (1988).
In the interim, proper operation has been confirmed by using inserted values-to drive the display logic.
Documentation of the V&V program is also incomplete. The final summary document is presently scheduled to be published on January 1,1986.
Information Needed In order to confirm that the V&V program was adequately implemented, the staff requests that Duke Power. Company submit the V&V Summary Document (s) describing both the V&V process followed and the results.
4.7 Other Issues The staff was briefed by Duke Power regarding similarities and -
differences among the SPDS installations at Catawba, McGuire, and t.
T
. Oconee. The staff's conclusion is that the Catawba SPDS is nearly identical to the McGuire SPDS and was evolved from original design work performed on the McGuire SPDS. Very little additional review work should be needed to approve the McGuire design once the Catawba design is approved. The SPDS installation at Oconee is sufficiently different to warrant a separate review.
The only significant negative finding during the audit was the fact that there is a long time delay (several months) between updates to SPDS logic and corresponding updates to paper copies of the E0P status trees used by control room operators. At present, the trigger points for steam generator levels in the Heat Sink CSF under degraded containment conditions are less conservative than the levels listed in the E0Ps.
The SPDS logic actually reflects the results of the most recent safety analysis, and the E0Ps are in the process of being updated to this revision. The audit team recommends that the process of printing and distributing E0P changes be accelerated.
5.0
SUMMARY
The staff's audit of the Catawba SPDS identified no significant deficiencies in the design process, the V&V process, or the installed system. Several open items still exist pending completion of the V&V program and/or submittal of further information, e.g. Duke Power Company submittals regarding data validation, electrical isolation, human factors, and verification and validation (see sections 4.3 - 4.6).
Because the Procedures and Systems Review Branch and the Instrumentation and Control Systems Branch were not represented on the audit team, no conclusions could be drawn regarding parameter selection and parameter validation, system reliability, and electrical / electronic isolation.
The only significant finding involved delays in updating the E0Ps to reflect current analyses.
l t
REFERENCES 1)
Letter...H.B. Tucker (Duke Power Co.) t'o H.R. Denton (NRC), March 28, 1984 with. attachment.
2)
Letter, H.B. Tucker (Duke Power Co.) to H.R. Denton (NRC), January 23, I
1985 with attachment.
3)
NSAC-39, " Verification and Validation of Safety Parameter Display Systems", December 1981, E. A. Straker.
1 1
4 4
i l
l L
ATTACHMENT 1 CATAWBA UNIT 2 SPDS AUDIT AGENDA May 14-15, 1985 TUESDAY, MAY 14, 1985 8:30 AM INTRODUCTIONS AND BRIEFING GW Lapinsky 8:45 AM OVERVIEW OF SPDS IMPLEMENTATION RL Brown STANDARDS RL Brown HUMAN FACTORS ENGINEERING RH White RELIABILITY RC Collins VALIDATION AND VERIFICATION RL Brown IMPLEMENTATION PLAN RL Brown PROJECT MILESTONES RL Brown IMPLEMENTATION STATUS RL Brown 10:15 AM BREAK 10:30 AM DESIGN BASIS RL Brown WESTINGHOUSE EMERGENCY RESPONSE GUIDELINES AND CATAWBA EMERGENCY PROCEDURES GUIDELINES HJ Lee LOGIC DESIGN RL Brown DESIGN REVIEW HJ Lee TASK ANALYSIS OF SPDS RH White HUMAN FACTORS REVIEW RH White SOFTWARE DEVELOPMENT
-RC Collins VERIFICATION OF SOFTWARE LR Frick VALIDATION TESTING OF SOFTWARE LR Frick 12:00 LUNCH 1:00 PM SENSOR VALIDATION LR Frick DYNAMIC TESTING RL Brown SIMULATOR INSTALLATION RL Brown DOCUMENTATION RL Brown 2:00 PM OPERATOR AID COMPUTER SYSTL'M AND EMERGENCY RESPONSE FACILITIES RL Brown i
DISCUSSION OF SPDS INPUTS AND INPUT ISOLATION RM Meacham SPDS MAINTENANCE AND REVISION PROGRAM RG Morgan OVERVIEW OF McGUIRE AND OCONEE SPDS AND i
IMPLEMENTATION STATUS RL Brown 2:50 PM BREAK 3:00 PM TOUR OF STAGING COMPUTER AND DEMONSTRATION OF OCONEE DISPLAYS RC Collins
CATAWBA NUCLEAR STATION SPDS AUDIT i
Page 2 4:00 PM NRC QUESTIONS AND REVIEW 0F DOCUMENTATION 4:30 PM ADJ0 URN WEDNESDAY, MAY 15, 1985:
i' TECHNICAL TRAINING CENTER:
9:15 AM TRAINING PROGRAM DESCRIPTION GE Spurlin i
9:45 AM DESCRIPTION OF SIMULATOR AND SPDS CA Maju.e 10:10 AM BREAK
[
10:30 AM
' DISCUSSION OF SCENARIO CA Fajure 10:45 AM SIMULATOR DEMONSTRATION CA Majure
[
11:15 AM QUESTIONS AND DISCUSSION 11:30 AM DEPART FOR CATAWBA AND LUNCH CATAWBA NUCLEAR STATION-l 1:30 PM TOUR OF CONTROL ROOM, EMERGENCY RESPONSE FACILITIES, AND DEMONSTRATION OF SPDS 4
AND SUPPORTING DISPLAY SCREENS RG Morgan, RC Collins 2:00 PM TECHNICAL SUPPORT CENTER (TSC) 1 2:15 PM SCENARIO DISCUSSIONS 2:45 PM QUESTIONS AND DISCUSSIONS-t 3:00 PM NRC CAUCUS 3:15 PM EXIT BRIEFING 3:30 PM ADJ0 URN t
E L
l
=.... --
t s.
1 ATTACHMENT 2 l
1 ATTENDANCE LIST May 14, 1985 NRC Duke Power Company i
G. Lapinsky R. Sharpe R. White J. Warren NRC Consultants R. Morgan R. Collins J. DeBor H. Lee
~
1 G. Bethke R. Brown C. Kain R. Dobson i
H. Davenport L. Frick A. Fairweather i
l May 15, 1985 NRC Duke Power Company j
K. Jabbour R. Brown G. Lapinsky C. Majure i
G. Spurlin R. Sharpe NRC Consultants R. Morgan J. Ferguson v
G. Bethke R. Collins C. Kain e
J. DeBor 1
i i
i i-I b
t s
l r
w
ATTACHMENT 3 VALIDATION AND VERIFICATION OF SAFETY PARAMETER DISPLAY SYSTEM l
DESIGN BASIS:
CONTROL ROOM REVIEW STEERING COMMITTEE REVIEW 0F DESIGN BASIS:
CONTROL ROOM DESIGN REVIEW TEAM AND STATION PERSONNEL DAVE CAIN OF EPRI/NSAC EMERGENCY RESPONSE GUIDELINES:
WESTINGHOUSE OWNERS GROUP SELECTION OF CRITICAL SAFETY WESTINGHOUSE OWNERS GROUP FUNCTION 5?
DEVELOPMENT OF[ CATAWBA NUCLEAR PRODUCTION'S REACTOR SAFETY UNIT EMERGENCY OPERATING PROCEDURES GUIDELINES:
VALIDATION AND VERIFICATION DESIGN ENGINEERING ELECTRICAL PLAN:
GENERATION OF SPDS LOGIC:
INSTRUMENTATION & ELECTRICAL OF NUCLEAR PRODUCTION VERIFICATION OF SPDS LOGIC:
REACTOR SAFETY UNIT OF NUCLEAR PRODUCTION GENERATION OF SPDS SOFTWARE:
PROCESS COMPUTER UNIT OF PRODUCTION SUPPORT VERIFICATION OF SPDS SOFTWARE:
COMPUTER AND SECURITY ENGINEERING 0F DESIGN ENGINEERING VALIDATION OF INSTALLED SPDS COMPUTER AND SECURITY ENGINEERING OF
,5OFTWARE:--
DESIGN ENGINEERING TASKANALYSISOf[SPDS:
CONTROL ROOM DESIGN REVIEW TEAM DEVELOPMENT OF SUPPORTING PRODUCTION SUPPORT DEPARTMENT DISPLAY SY5 TEM:
HUMAN FACTORS REVIEW 0F SPDS CONTROL ROOM DESIGN REVIEW TEAM N PLAY SYSTEM:
~
ONGOING VALIDATION OF SPDS PERFORMANCE SECTIONS AT EACH SYSTEM NUCLEAR STATION