ML20137N182
| ML20137N182 | |
| Person / Time | |
|---|---|
| Site: | Mcguire, Catawba, McGuire, 05000000 |
| Issue date: | 11/27/1985 |
| From: | Tucker H DUKE POWER CO. |
| To: | Harold Denton, Youngblood B Office of Nuclear Reactor Regulation |
| References | |
| NUDOCS 8512040080 | |
| Download: ML20137N182 (22) | |
Text
.
e-i:
DUKE POWER GOMPANY P.O.Hox G3180 CitAHI OTTE, N.O. 28242 HAIA B. TUCKER TELEPHONF,
- m...
e.,
(704) 373-4531
. m u..
,ono.
November-27, 1985
'Mr. Harold R. Denton, Director Office of Nuclear Reactor Regulation
.U.
S. Nuclear Regulatory Commission Washington, D.-C.
20555 Attention:
Mr. B.
J. Youngblood, Project Director PWR Project Directorate No. 4 Re:
Catawba Nuclear Station,-Unit 2 Docket No. 50-413 McGuire Nuclear Station Docket Nos. 50-369 and 50-370
Dear Mr. Denton:
On September 10 and October 31, 1985, the NRC transmitted the results of the Staff's audit of the Catawba Unit 2 Safety Parameter Display System (SPDS).
These letters included a number of requests for additional information.. On November 7, 1985, additional questions were received concerning the McGuire Units 1 and 2 SPDS.
The questions received on McGuire were essentially identical to questions-received ~on Catawba, conseq'uently the responses have been combined.-
A' response to the. September.10, 1985-letter is provided in.
A response to the October 31 and November 7, 1985 letters is provided in' Attachment 2.
Very truly yours, ds k r
. f Hal B. Tucker ROS:slb Attachments i
t,
8512040000 851127 PDR ADOCK 05000369 F
T: '
Mr._HOrold R.cDenton, Director
_ November 27, 1985 Page Two cc: L Dr. J. Nelson. Grace, Regional Administrator LU. S.-Nuclear Regulatory Commission
. Region II 101 Marietta Street, NW, Suite 2900 Atlanta, Georgia 30323 NRC Resident Inspector Catawba Nuclear Station Mr. Darl Hood Division of PWR Licensing - A Office of Nuclear Reactor Regulation U.
S. Nuclear Regulatory Commission
. Washington, D.~C.
20555 Mr. W. T. Orders
-NRC Resident Inspector McGuire Nuclear Station Dr. K. N. Jabbour-Division of PWR Licensing - A Office of Nuclear. Reactor Regulation U. S.
Nuclear Regulatory' Commission Washington',-D.
C.-
20555 2
7 c.
ATTACHMENT 1 Catawba Unit 2 Response to NRC Letter of September 10, 1985 4.3 Electrical and Electronic Isolation
~
A separate' response'was submitted on this item November 1, 1985.
4.4 Display Data Validation Duke Comment on 3rd paragraph, Page 3 On the subject of'dato validation, the audit report states that "the staff finds this method to be acceptable as an interim measure based on the fact that-Duke Power is involved in an Electric Power Research Institute '(EPRI) project investigating signal validation techniques and is committed to using the results of that program to improve the current data validation methodology." Duke actually stated that we intend to closely review the results of the.EPRI Signal Validation Project and to evaluate implementation of resulting physical and/or analytical redundancy software on the Catawba SPDS.
Information Needed A description of the improvements to the current data validation methodology should t+ % bmitted to the staff when the applicant has 4
finalized the data valifhtion methodology, i.e., incorporated appropriate etechniques'from the EPRf study. This information should be submitted no later than August 1,-1985.
Response
- Since the EPRI project Final Report is not scheduled to be complete until the second quarter of 1987,~ Duke will be unable to submit a description of planned improvements to the current data validation methodology until August
- 1, 1987.
- 4.5 Human Fectors Information Needed In order to' confirm.that the human factors review of the computer system was comprehensive and effective, the staff requests that Duke Power Company submit a summary of the human engineering discrepancies (HEDs) identified in-its review of the Operator Aids Computer. This summary should include a short description of the HED, how it was resolved, and why it was resolved as it was.
,7 4
RES PONSE:
The. Control Review Team provided on-going htaan factors review and. support to the SPDS' developent activity.
In addition to periodic reviews during the SPDS development, the Review Team performed a task analysis of the SPDS during the display development phase and a htaan factors survey of the SPDS
~ disp 1aya af ter system impienentation.
The Review Team also reviewed the Operator. Aid Computer system (OAC) and the non-SPDS displays during the Control Room Review (CRDR). The review of the OAC system was performed in the Operating Experience Review (OER) and Control Room Survey,(CRS) activities of the CRDR as described in Sections 3.1 - 3 5 of the Duke Power Compary, Catawba Nuclear Station, ; Response to Supplement 1 to-NURm-0737 An evaluation of the Duke CRDR review methods and results by-the NRC Staff (including a pre-implementation audit by the Staff and htaan factors consultants from Lawrence Livermore National Laboratory) 'is contained in the Safety Evaluation Report, Supplement No. 2 for Catawba Nuclear Station, Unit 1.
The Objective of the OER was to identify features of Control Room operation of design which could potentially degrade effective control of the plant during normal or anergency ~ operations.
The review focused on two primary areas, -(1) an operator survey, performed with questionnaires and interviews, and (2) a review of the operating history of each plant, including an examination of generic industry problems for applicability to the Duke
-- review.
Biotechnology, Inc., (BTI) was assigned lead responsibility for the OER.
Duke line organizations assisted BTI in the research necessary to review
. plant and industry operating history.
The Review Team arranged for the briefing of station personnel, the Lacheduling o' operator interviews, and the distribution of questionnaires.
The Review Tsam also assisted BTI in the questionnaire 'develogment and, jointly with BTI, reviewed the operator survey results and recorded HEDs
.(human engil.eering discrepancies or potential problems). BTI conducted all operator ir.;erviews, administered the distribution and the collection of questionne eres, and performed the data reduction necessary to provide the final OER results.
]
1 A stammary of the questions relating to the OAC system is shown in Attachment
)
4.5-1.
l l
i l
i
,,,_-,,,-._na,,,
nc
,e
_,,w,n
_,n,-n~,, -
-n.m,~--,
,v
The Objective of the CRS was to determine the extent to which Control Room equipent, components, and environment were in compliance with htman engineering guidelines.
The CRS included three different types of surveys:
o A Physinal Survey was conducted, both on-site and using full scale mock-ups, to evaluate Control Room components and equipment.
o An Enaineerine Survey was performed to evaluate the Control Room against guidelines which could be assessed using engineering drawings, or which required special studies, o
An Environmental Survey was conducted to assess guidelines which required measurements of environmental factors, such as noise, illumination, etc.
De scope of these individual surveys and the specific methods used were oriented to the type of data to be collected and the most efficient and effective methods for obtaining the data.
Responsibility for arranging and conducting the Control Room Survey was assigned to the line organization in the Design Engineering Department.
A Control Room Survey Team (CRST) was chosen and staffed by personnel familiar with Control Room / control board layout and design.
he CRST worked closely with consultants from BTI to develop the survey methods and materials.
The CRST also performed the surveys, documented HEDs, and other survey results.
BTI was given responsibility for leading in the definition of survey methods, preparing final materials, and for providing htman factors assurance of the survey results.
Checklists were developed from both NUREG-0700 and Duke-specific guidelines and standards for use in the CRS.
These checklists covered ten major topic areas:
(1)
Control Roce Workspace (2)
Communica tions (3)
Annunciators (4)
Controls (5)
Visual Displays (6)
Labels / Location Aids (7)
Computers (8)
Panel Layout (9)
Control / Display Integration (10) Codes and Conventions A sample of the Human Factors Principles used for the developnent of the detailed checklists for the review of the OAC (Topic 7) and for color coding conventions is shown. in Attachment 4.5-2
i
. HEDs were written during the review activities for later assessment during the Assessment Phase of the CRDR.
An assessment team composed of three
- senior reactor operators, three mechanical and nuclear engineers, two 3
. electrical engineers, and two htaan factors specialists reviewed all HEDs and determined the final disposition for each HED.
. HEDs were first screened to determine the following:
o Is the HED an actual deficiency in the cite-specific Control Room context?
o Does the HED require individual study and assessment?
i o
Should the HED Le resolved to maintain consistency with Control Room oor!vantions or standards?
o Is the HED part of a larger or generic HED, or a duplicate HED?
i o
Is the HED so minor that no physical change is needed and the HED could be resolved by establishing operator arareness through training?
o Can the HED be resolved by surface enhancements?
Is the HED already being ' resolved by an existing design change?
o HEDs that did not fall into one of the above categories were evaluated by a formal significanoe evaluation process to determine the relative significanoe. Factors of the significance evaluation were the potential for operator error, the potential for detection and recovery, and the consequence of the error to plant operation and safety.
An HED was. determined to be a non-deficiency in cases where the HED as written was not valid (for example: where the human factors principle was inappropriately applied by the reviewer, or where the reviewer did not have accurate information concerning plant specifics), or cases where 'the HED was valid but with important extenuating circumstances (for example: where a component served more than one function and the HED did not apply to the primary function, or where the HED concerned a general population stereotype versus a Duke standard)..
During the review activities, a total for 45 HEDs were written specifically concerning the OAC system.
The assessment results for these HEDs are as follows:
6 - Operator / plant awareness solutions l
2 - Duplicate HEDs 2 - Physical change solutions 2 - Surface enhancement solutions 33 - Non-deficiencies
The following is a stamary of CRDR HEDs with surface enhancement, physical change, or awareness solutions concerning the OAC system:
1-0151 Screen loading for several graphic displays exceeded the guideline of 255. Graphic displays were reviewed during Assessment on a case-by-case basis.
Three displays were recommended for plant review for modifications. 0159 Printers printed at a speed less than the guideline speed of 300 lines
- per minute.
He Review Team recommended that the output buffer be increased (to prevent loss of data while printing) or that printers be changed to faster printers.
1-0164 Some computer operating procedures did not appear to be prepared from the view point of the Control Room Operator.
De Review Team recommended that Catawba Operations review all computer operating.
procedures for effectiveness for Operator use.
1-0272 Printer ribbons needed to be changed to provide adequate contrast.
The Review Team recommended that a maintenance procedure be instituted to periodioally replace the printer ribbon.
1-0463 Some function keys on the OAC operator keyboard were not labelled.
De Review Team recommended that labels be added for these keys.
1-0464, A spare (non-used) key on the OAC operator keyboard was mis-labelled.
He Review Team recommended that this label be removed.
1-0 51 ?
2e reset switch-for the OAC Alarm Video (located on Panel MC-2) was located on Panel MC-1.
The Review Team recommended that this switch be relocated to Panel MC-2
1 1-0606 i
OAC CRTs used during the plant construction phrase had poor color discrimination and contrast.
he Review Team recommended replacement
'of these CRTs.
1-06 56 s
he present scale range for several analog inputs did not meet Reg.
Guide 1 97 recommendations.
The Review Team recommended that the existing 40 to 200 degrees (F) scale be increased to 40 to 400 degrees (F )..
2-0156
- Same as HED 1-606, except specific for Unit 2.
Resolution is the same as HED 1-606.
Section 4.5, Paragraph 3, of the SPDS Audit Report discusses color coding used for CRT displays.
Duke standards for color coding of the CRT displays have been in use since color CRTs were first used in Duke plants in the early 1970's.
Good hinan engineering practice requires that relatively few colors be used and that each color have well-defined, specific meanings, consistent in application for both CRTs and other Control Room indications.
, Duke standards in this area ensure consistency in color assignment and usage in accordance with good htaan engineering practice.
While specific meanings can only be associated with particular colors in a given application, there are general htman engineering guidelines for certain colors based on general population stereotypes.
. guidelines 6.5.1.6 (c) and' 6.7.2.7 (k) illustrate the population stereotypes for red, green, yellow, etc.
he Duke standards for CRT displays are in accordance with these stereotypes.
For example, red is used on the Alarm
- Video displays for incoming alarm messages and red is also used for the highest level of SPDS alarm. _ Yellow is used for a lower level ("potentially unsafe hazard, etc.") of SPDS alarm and green is used for the " function satisfied" SPDS status.
In addition to these uses on specific displays, red and green are used for coding of equisment status for system graphic displays.
For example, red is used for ptaip "on", valve "open", etc. and green is used for pump "off",
valve " closed", etc.
his usage is consistent with control board indicator lamps which display red and green for equipment status display and is a population stereotype for utility operators both at Duke and in the majority of the utility industry.
his standard for equipment status display has been in use for mary years.
V j
As stated in NUREG-0700, Guideline 6.5.1.6: "All coding schemes must be learned. Learning of a color code can be facilitated by keeping the code simple and by taking advantage of common usage in everyday life." The coding system used at Duke takes advantage of common usage both in everyday life and conventions common within the utility industry with which operators are very familiar.
}
/
l
ATTAC35MT 11.5-1 GENERIC CONTROL ROOM PROBLENiS VI. PROCESS COMPUTERS This section of the questionnaire deals with design and use of computer systems in the control room. The intent is to identify problems in the computer / user interface. These may arise in the areas of program / computer procesns, memory location and access, CRT messages, format, and characters, in responding to these questions, please consider potential delays or errors in task performance where interaction with the computer is required.
- 59. Some operations using the computer are hindered by lack of suitable written procedures for users. (NUREG.
0700, Section 6.7.1.8.a) Please gecify.
- 60. Some computer display groups are not arranged in the order that is most useful to the operator. (NUREG-0700, Section 6.7.2.6.c,d,e) Please specify.
- 61. Some computer failures or malfunctions are not adequately covered by back up procedures. (NUREG 0700, Section 6.7.1.8.a) Please mecify/ explain problem (s).
- 62. Point ids used to call up specific parameters are difficult to use or are not well defined. (NUREG-0700, Section 6.7.1.8.b)
~4. Some CRT characters or graphics are difficult to read from the usual location. (NUREG 0700, Section 6.7.2.1.a)
- 64. CRT display parameters such as contrast cannot be suitably controlled by the operator. (NUREG 0700, Section 6.7.2.1.h)
- 65. Some data are not presented in a logical or directly usable form-e.g., transposition, calculation,interpo-lation, or mental transformation is required. (NUREG 0700, Sections 6.7.2.4.a,b,d,h and 6.7.2.5.a) Please specify problem (s).
- 66. Confusion can occur because of inconsistency in display formats used for identical or equivalent types of data or messages. (NUR EG 0700, Sections 6.7.2.4.e and 6.7.2.5.a,b,j,k)
- 67. Some CRT displays are difficult to read because alphanumeric data are not grouped, spaced, aligned, punctuated, or labeled suitably. (NUREG 0700, Sections 6.7.2.4.c,g,m.n.o,p and 6.7.2.5.c,f) Please specify problem (s).
- 68. Computer messages and prompts given to the user are insufficient, inappropriate, or difficult to interpret /
apply. (N U R E G-0700, Section 6.7.2.6.a,b,c,d,e,f) Please describe problem (sj or sh e example (s).
- 69. The system for correcting input errors is inadequate-e.g., too complicated, or it is difficult to correct an error without affecting adjacent valid entries. (NURE G 0700, Section 6.7.2.6.h) Please describe problem (s).
ATTAC't!E:IT 4.5-2
- 7. PROCESS COMPUTERS CRT MESSAGES Principle 7.22: Messages should conform to the following guidelines:
a.
MESSAGES, GENE R AL (1) Messages should be concise.
(2) Messages should provide the operator with the information necessary to complete a specific action or decision sequence.
- b. MESSAGE CONTENT-Information contained in messages should be necessary, complete, and readily usable.
c.
USE OF PROMPTS-Prompts should be displayed whenever the operator may need directions or guidance to initiate or complete an action or sequence of actions.
- d. CONTENT OF PROMPTS-Prompts should contain clear and specific cues and instructions which are relevant to the action to be taken.
e.
PROMPT INFORMATION SEQUENCE-Directions should be placed in the sequence to be used by the operator, f.
USE OF ERROR MESSAGES-Whenever an operator error or invalid input is detected, an error message sneuld be displayed.
- (
ERROR CORRECTION GUIDANCE-Error messages should contain instructions to the g.
operator regarding required corrective action.
- h. ERROR CORRECTION EASE-Capability should be provided for operator correction of individual errors without affecting adjacent valid entries.
- i. SYSTEM STATUS FEEDBACK MESSAGES-Feedback messages should be provided to the operator to indicate changes in the status of system functioning.
J. SELECTION FEEDBACK-When a displayed message or datum is selected as an option or input to the system, the subject item should be highlighted, or otherwise positively identified, to indicate acknowledgement by the system.
- k. DELAY FEEDBACK-When system functioning requires the operator to stand by, such as when the computer is searching for requested data, periodic feedback should be provided to the operator to indicate normal system operation and the reason for the delay.
- i. ACTIVITY COMPLETION FEEDBACK-When a process or sequence is completed by the system, positive indication should be presented to the operator concerning the outcome of the process and requirements for subsequent operator actions.
Guidance: NUREG 0700, Section 6.7.2.6 Survey Application: Engineering Revision: 112 82 C
(
C 67
a.
- 7. PROCESS COMPUTERS f
i t
CRT DISPLAYS Principle 7.23: Graphic coding and highlighting of CRT displays should conform to the following guidelines:
USE OF HIGHLIGHTING-highlighting should be used to attract the operator's attention to a.
any displayed data item or message which is important to decisionmaking or action require-
- ments,
- b. CONSISTENT APPROACH
- (1) Highlighting methods which have information value beyond their attention-getting quality should have the same meaning in all applications. (C727)
(2) Highlighting methods associated with emergency conditions should not also be used in association with normal conditions.
c.
CONTRAST ENHANCEMENT-When contrast enhancement (i.e., increased illumination intensity level) is used for highlighting, not more than two (preferable) or three (maximum) brightness levels should be used in a single presentation.
- d. FLICKER OR BLINKING-Blinking of a symbol or message (e.g., ON OFF or alternating high low brightness) for purposes of highlighting should be reserved for emergency conditions or similar situations requiring immediate operator action.
)
e.
BLINK RATES (1) When blinking is used for highlighting, a maximum of 2 blink rates snould be used.
(2) When a single blink rate is used, the rate should approximate 2 3 " blinks" per second with a minimum of 50 msec "on" time between blinks.
(3) When 2 blink rates are used, the fast blink should approximate 4 per second and the slow blink should approximate 1 per second.
(4) When 2 blink rates are used, the "on-off" ratio should approximate 50%
(5) When 2 blink rates are used, the higher rate should apply to the most critical information.
f.
INVERSE VIDEO-Image reversal (e.g., dark characters on a light background) should be used primarily for highlighting in dense data fields, such as a word or phrase in a paragraph of text, or a det of characters in a table of data.
USE OF GRAPHIC CODING-Graphic coding methods (e.g., symbols, boxes, underlines, g.
colors) should be used to present standard qualitative information to the operator or to draw the operator's attention to a particular portion of the display,
- h. GRAPHIC CODE CONSISTENCY-Graphic codes, used separately or in combination, should have the same meaning in all applications.
C-68
i
- 7. PROCESS COMPUTERS CRT DISPLAYS (Continued)
Principle 7.23 (Continued) 1.
GEOMETRIC SHAPE CODING-When geometric shape (symbol) coding is used, the basic symbols should vary widely in shape.
J. NUMBER OF SYMBOLS (1) The number of basic symbols used for coding should be kept small.
(2) The upper limit under optimum display conditions should be 20.
(3) The upper limit under adverse display conditions should be 6.
(4) When needed, other highlighting and graphic techniques (color, filled versus unfilled, and other " modifiers") should be used to display different states or qualities of a basic symbol.
- k. RED-GREEN COMBINATIONS (1) Whenever possible, red and green colors should not be used in combination.
(2) Use of red symbols / characteristics on a green background should especially be avoided.
Guidance: N U R EG-0700, Section 6.7.2.7.a,b,c,d,e,f,g,h,1,j,m
. Survey Application: Engineering Revision: 10-25-82 B
(
L C 69
F
- 7. PROCESS COMPUTERS CRT DISPLAYS (Continued)
Principle 7.24: When the data presentation encompasses more than one page or when scrolling, panning, and zooming of a single page is anticipated, the following guidelines should be applied:
s.
OPERATOR MEMORY (1) Page design and content planning should minimize requirements for operator memory.
(2) All data relevant to a specific operator entry should be displayed on a single page.
- b. AUDIT TRAIL-When pages are organized in a hierarchical fashion, containing a number of different paths through the series, a visual audit trail of the choices should be available upon operator request.
- c.
LOCATION REFERENCES (1) When the operator is required to scroll or pan on a large logical frame, location references should be provided in the viewable portion of the frame. (For example, when scrolling a list, only part of which is visible at any one time, the present and maximum location should be shown.) (C728)
(2) Sectional coordinates should be used when large schematics must be panned or magnified.
- d. OPER ATOR CONTROL-The operator should have some capability for controlling the amount, format, and complexity of information (e.g., core dumps, program outputs, error messages) being displayed by the system.
e.
LOCATION CONSISTENCY-If the message is a variable option list, common elements should maintain their physical relationship to other recurring elements.
Guidance: NUREG-070. Section 6.7.2.8 Survey Application: Enginee.c!ng Revision 10-24-82 B C 70
- 10. GENER AL CODING CONVENTIONS COLOR CODING Principle 10M: Color coding should be consistent, well defined, and distinguishable throughout the control roo,'n. Coding should be in conformance with Exhibit 3.
Examples:
e items to be checked include: labels, controls, indicating lights, annunciators, scales (zone marking), demarcation lines, mimic bus, CRT colors, and any other places color is used in the control room.
Pertinent information should be available from some other cue in addition to color (e.g., red e
button engraved "ON" and in top position),
e Colors used should be distinguishable and contrast with the background.
The control room should have a maximum of 11 colors used for coding purposes.
e
- e The color meaning should be narrowly defined and consistent throughout the control room.
(C422), (C423), (C517), (C523), (C727) e The color of a control and its related display should be the same.
(
e Mimics:
- Flow paths should be color coded
- Colors should be distinguishable from each other Mimics depicting flow of same contents (e.g., steam, water, electricity) should be consistent throughout the control room No more than 4 mimic lines of the same color should run in parallel.
Guidance: NUR EG-0700, Sections 6.4.2.2.a,f, 6.5.1.6.a,b,c(1), d,e(2), 6.5.2.3.c, 6.5.3.2.a(2),(3),
6.5.3.3.d, 6.6.6.3, 6.6.6.4.a. 6.7.2.7.k Survey Application: Physical Revision: 1182 D o
C 82
=
e e'
e 4.6 Verification and Validation Information Needed In order to confirm that the V&V program was adequately implemented, the staff requests that Duke Power Company submit the V&V Summary Document (s) describing both the V&V process followed and the results.
Response
The Verification and Validation (V&V) summary packages are currently being developed. The scope of the documentation has been expanded and
'will consist of three separate phases:
Phase I
- SPDS Development Summary Phase II - SPDS Maintenance Summary Phase III - Simulator Validation Summary The Phase I and II summary documents are now scheduled to be completed July 1, 1986. The Phase III summary document will be developed at the appropriate time following installation of the Catawba simulator (1988).
1 r
14. 7 Other Issues NRC Comment-The only significant negative finding during the audit was the fact that there'is a_long time delay (several months) between updates to SPDS logic and corresponding updates to paper copies of the E0P status trees used by control room operators. At present, the trigger points for steam gener-ator levels' in the Heat Sink CSF under degraded containment conditions are less conservative than the levels listed in the E0Ps. The SPDS logic actually reflects the results of the most recent safety analysis, and the E0Ps are in the process of being updated to this revision. The audit team recommends that the process of printing and distributing E0P changes be accelerated.
Response
Positive, administrative controls have been developed to coordinate the implementation of SPDS software changes (e.g., setpoint revisions) with the hard copy E0P revisions. These controls are in the form of an
" Emergency Procedure Change Checklist," which stipulates the E0P revision activities which must be accomplished and their sequence. Additionally, the printing process involved in developing the multi-colored hard copy status trees will be given a high priority with appropriate completion deadlines assigned.
4 I
m ATTACHNENT 2 Catawba Unit 2 Response to NRC Letter of October 31, 1985 McGuire Units 1 and 2 Response to NRC Letter of November 7, 1985 PROCEDURES AND SYSTEMS REVIEW BRANCH 1.
Parameter Selection
- As a result of its review, the stafi.*oted that the following variables are not proposed for the McGuire/ Catawba SPDS.
1.
Hot Leg Temperature 2.
RHR Flow Rate 3.
Stack Monitor 4.
Steam Generator (or steamline) Radiation 5.
Containment Isolation Hot leg temperature is a key indicator used in the ERGS (Revision 1, "ES-0.1, Attachment A,"
" Generic Instrumentation," page 3) to determine the viability of natural circulation as a mode of heat removal.
Reference 1 indicates "NC System temperature" as a proposed variable, but
.does not specify hot leg temperature.
During RHR and ECCS modes of cooling when steam generators are not avail-able, RHR flow is a key indicator to monitor the viability of the heat
. removal system. Steamline (or steam generator) radiation, in conjunction with containment radiation and reactor stack radiation, gives a rapid assessment of radiation status for the most likely radioactive release paths to accomplish the " Radioactivity Control" safety function. For a rapid assessment of Radioactivity Control, the applicant has 'not demonstrated how radiation in the secondary system (steam generators and steamlines) is monitored by SPDS when the steam generators and/or their steamlines are isolated. The analysis should be expanded to include this discussion.
Containment isolation is an important parameter for use in making a rapid assessment of " Containment Conditions." In particular, a determination that known process pathways through containment have been secured provides.significant additional assurance of containment integrity.
The above variables do, for given scenarios, provide unique inputs to the determinations of status for their respective CSFs, which have not been discussed by the applicant as being satisfied by other variables in the proposed McGuire/ Catawba SPDS list. The licensee / applicant should address these. variables and their functions by:
(1) adding the variables to the McGuire/ Catawba SPDS, (2) providing alternate added variables along with justifications that these alternates accomplish the same safety functions for all scenarios, or (3) providing justification that
c
~
variables currently on the McGuire/ Catawba SPDS do in fact accomplish the same safety functions for all scenarios.
Response
Item #1 - Parameter Selection The McGuire/ Catawba SPDS fs based on'the Westinghouse Owners Group (WOG)
Critical Safety Funct"-
saatus Tree concept as detailed in Revision 1 of the Emergency Responcs duidelines (ERGS). As such, the parameter selection is generically specified in the ERG documentation and should be essentially consistent among all WOG member utilities. The McGuire/
Catawba SPDS does not include four of the five parameters identified in the NRC question since these parameters are not deemed necessary in order
'for the SPDS to perform its intended design function of monitoring and alarming challenges to the six critical safety functions. Additional justification for not including these parameters follows:
1.
Hot Leg Temperature The McGuire/ Catawba SPDS utilizes the wide range hot leg RTDs to continuously monitor hot leg subcooling. An abnormal increase in hot leg temperature would eventually result in an SPDS alarm on loss of subcooling, and would direct the operator to implement emergency procedure EP/2/A/5000/2B3, Saturated Core Cooling Conditions, at Catawba Unit 2 and EP/n/A/5000/12.3, Response to Caturated Core Cooling, at McGuire. Subcooled hot leg conditions along with an adequate steam generator heat sink (monitored by the Heat Sink Critical Safety Function Status Tree) ensure that the conditions for natural circulation exist. The NRC concern regarding incorporation of hot leg temperature in the McGuire/ Catawba SPDS is addressed in this manner.
2.
RHR Flow Rate The McGuire/ Catawba SPDS does not utilize RHR flow rate as a part of the critical safety function monitoring strategy. However, a loss of RHR flow will result in abnormal. process parameter indications that are monitored by the SPDS. A loss of RHR flow will be indicated by a loss of RCS inventory, as indicated by a decrease in pressurizer or reactor vessel level, or by a reduction in core cooling which -
results in a loss of subcooling.
In this manner the symptoms result-ing from a loss of RHR flow will cause SPDS alarms to actuate and alert the operator to abnormal conditions. The cause will then be easily diagnosed and appropriate mitigating actions undertaken.
3.
Stack Monitor (Unit Vent Radiation Monitor)
The McGuire/ Catawba SPDS does not include the unit vent radiation monitor. During the development of the SPDS the only radiation monitor incorporated into the logic design was the containment dome radiation monitor. This exception was judged to be necessary in order to initiate a manual containment isolation signal in the event of a high radiation indication without a simultaneous automatic l
b_
containment isolation signal. For all other radiation monitors:
. including the unit vent, it'was decided that due to the high level of emphasis placed on radiation monitors during operator training,
'and due to the distinct characteristics of the audible radiation monitor alarms, there exists a very high degree of confidence that the operator will respond appropriately to all radiation monitor alarms. Furthermore, no additional benefit could be identified by including the radiation monitors in the SPDS.
4.
Steam Generator (or steamline) Radiation Main steam line radiation monitors are not included in the McGuire/
Catawba SPDS. As previously stated in the response to #3 above, no additional benefit could be identified by doing so when considering the already existing and clearly distinguishable audible alarms and indications. With respect to monitoring an isolated steam generator, it is not considered appropriate for this function to be performed by the SPDS. Once the steam generator is isolated the mitigation action (i.e., isolation) has already been performed. The radiation is contained and will remain so until manual unisolation is required as necessary. The emergency procedures emphasize the indication of an uncontrolled increase in. steam generator level as a symptom of a steam generator tube rupture. This indication is valid even if the steam generator is isolated. The need to emphasize this indication
~
procedurally rather than via.the SPDS is due to the inability to mathematically describe an " uncontrolled increase in steam generator level" in the SPDS logic. The situation of concern is more than adequately covered with the existing radiation monitor alarms and with the event based emergency procedures.
5.
Containment Isolation Containment isolation status is not monitored by the McGuire/ Catawba SPDS.
Instead,. clustered monitor light pare s are provided 'in the control room to clearly indicate the statua of the containment isol-ation function. Following actuation of a safety injection signal the shift crew immediately implements emergency procedure EP/7/A/5000/01, (EP/2/A/5000/01, Reactor Trip or Safety Injection for Catawba Unit 2).
In Step D-2 (D-3 for Catawba Unit 2) of this procedure the operator verifies that the status of all Phase A containment isolation valves is appropriate.
If not then manual operation is initiated. Similar procedural g'tidance exists 'for Phase B containment. solation. This procedur.1 step is performed following any abnormal transient that causes a safety injection signal. Subsequent to this step unisolation of a containment
. penetration can only occur due to a deliberate operator action.
Continuous monitoring by the SPDS is not necessary. The status of containment isolation can be verified at any time by checking the monitor light panels in the control room.
2-Parameter Validation (Catawba Unit 2 only)
In References 1-3, the applicant discusses its program for validation of the Catawba SPDS variables.
In that~ discussion the applicant references i
.~
validation programs for the Westinghouse Owners Group ERGS and Duke Power's Emergency Procedure-Guidelines for Catawba. Also referenced is the task analysis performed by Duke Power's Control Room Design Review Team.
Included is a description of a " control board mockup" walk-through of a scenario developed using plant emergency procedures and'the Westinghouse ERGS. A detailed description of the event scenario was not
.provided. ~ However, a more detailed presentation of Verification and Validation (V&V) program plans was presented to an audit review. As noted in the audit report (Reference 4), the V&V program is not complete, but will be completed after the Catawba simulator is installed in 1988.
. Although this program may provide a proper framework for_ validation of the SPDS variable set, the staff recommends that future validation exercises (particularly those using the simulator) include a spectrum of events which would challenge both the near-term and long-term scenario monitoring capabilities ofsthe SPDS. Such a spectrum of events might include: Large LOCA, Loss of Main Feedwater, Core Power Excursion, _ Steam Generator Tube Rupture.with Loss of Offsite Power, Large Steamline Break, and one or more Severe Accident cases.
The applicant should respond to the staff's recommendation by providing a list'of the transients / scenarios that will be used to validate the Catawba SPDS variable set.
Response
(
As noted by the'NRC staff, a final step in the validation of the Catawba SPDS.will consist of a comprehensive exercising of the SPDS on the Catawba simulator. This activity will be performed as part of the post-delivery testing of the simulator. The Catawba simulator (to be deli-vered in 1988) will be capable of simulating all dperational transients and accidents that are of interest for operator training. The list of transients that will be utilized to validate the SPDS will include the following:
Large break LOCA Small break LOCA Inadequate core cooling conditions Steam generator tube rupture Steam line break Void in Reactor Vessel Natural circulation Loss of all feedwater Anticipated transient without scram The intent of the selected validation transient set is to test to the extent practicable a high percentage of the SPDS logic in order to ensure.that alarmed conditions are valid and sufficient.
-1 3-Human Factors Engineerina Branch Scope of SPDS In its SPDS safety analysis, the licensee / applicant defines the McGuire/
Catawba SPDS as the six Critical Safety Function (CSF) color blocks that
4 are driven by logic that is based on Westinghouse Owners' Group decision trees which are part of the symptom-oriented emergency procedures.
The staff finds _this position unacceptable on the basis that the six CSF color blocks alone do not give sufficient information to accurately
-determine plant safety status. The staff requires that the actual value of each of the SPDS parameters be readily available to the operator.
It appears that this information may already be available on the Operator
- Aid Computer, of which' SPDS is a part.
The applicant should clarify / redefine its position regarding the scope of the SPDS.
'I
Response
The Safety Parameter Display System (SPDS) utilized at the McGuire/and Catawba Nuclear Stations is a program on the Operator Aid Computer (OAC).
This software continually evaluates the status of the six Critical Safety Functions (CSF's). Each CSF is monitored by checking pertinent process parameters for symptoms of degraded conditions (i.e., setpoints exceeded).
The six CSF blocks are displayed on the OAC alarm video and provide the operators with an overview of the safety status of the plant. When a particular system parameter indicates a potential challenge to a Critical Safety Function, the appropriate SPDS block changes color corresponding to the level of degradation.
The actual value of SPDS parameters is readily available to the Operator on the OAC. To assess the cause of a degraded safety function, the operator calls up a secondary display. Each of the CSF's has a graphic display designated as a CSF status tree. The status tree is a branching logic diagram that checks for pertinent setpoints being exceeded. By checking a particular status tree the operator can determine the plant condition which caused the CSF block to change color. Another feature of this secondary display is a listing of the particular computer points that are in alarm, and the present value or condition on those computer points.
In addition to these secondary displays developed to support the SPDS, the operator has available the remaining 0AC features such as system schematics, input display lists, trend recording, alarms, etc.
4
.k 1
. - -