ML20137T887
| ML20137T887 | |
| Person / Time | |
|---|---|
| Site: | McGuire, Mcguire  |
| Issue date: | 02/06/1986 |
| From: | NRC |
| To: | |
| Shared Package | |
| ML20137T884 | List: |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737 NUDOCS 8602180580 | |
| Download: ML20137T887 (14) | |
Text
7. .
t
- ENCLOSURE SAFETY EVALUATION REPORT ~ I-3....--
FOR THE ., ;-
MCGUIRE NUCLEAR STATION, UNITS 1 AND 2 SAFETY PARAMETER DISPLAY SYSTEM o-I. -INTRODUCTION
~~
M1 holders of operating licenses issued by the Nuclear Regulatory Comission (licensees) and applicants for an operating license (0L) must t.
T provide a Safety Parameter Display System (SPDS) in the control room of-their plant. The Commission approved requirements for the SPDS are defined in Supplement I to NUREG-0737.
~.
- The purpose of the SPDS is to provide a concise display of critical
~
plant variables to control room operators to aid them in rapidly and reliably determining the safety status of the plant. NUREG-0737, A Supplement 1, requires licensees and applicants to prepare a written safety analysis describing the basis on which the selected parameters are sufficient to assess the safety status of each identified function for a wide range of events, which include symptoms of severe accidents.
Licensees and applicants shall also prepare an Implementation Plan for the SPDS which contains schedules for design, development, pistallation, i:
and full operation of the SPDS as well as a design Verificat, ion and 9602190500 G40204 PDR ADOCK 05000369 P PDR
.~. ,-
~
Validation (V&V) Plan. The Safety Analysis and the Implementation Plan are to be submitted to the NRC for staff review. The resillSs from the staff'sreviewaretobepublishedinaSafetyEvaluatio$Rdport(SER).
II.
SUMMARY
Duke Power Company (DPC) submitted, for staff review, documentation regarding the SPDS for McGuire Nuclear Station (Ref. 1). The staff a-requested further information from the licensee on August 28, 1984 (Ref. 3). The licensee responded in a letter dated November 2, 1984
- (Ref.4). Subsequent requests for information were issued on December 19, 1984 (Ref. 5) and.May 15, 1985 (Ref. 10). The licensee responded t6' these requests for information in its letters dated February 8,1985 (Ref. 13) and August 13, 1985 (Ref. 11). Clarification of DPC positions regarding parameter selection and the scope of SPDS was obtained in
~.
- teleconferences on December 11 and 18, 1985 (Ref. 7 and 8).
Since the SPDS developed by DPC is being implemented in identical form 5, at both the Catawba Station and the McGuire Statien, the staff combined
~
some aspects of the Catawba and McGuire reviews. For instance, an on-site Design Verification / Validation Audit of the Catawba Station was conducted on May 13-15, 1985. Included in the audit was a visit to the McGuire simulator. In addition, the staff spent some additional time in discussion with DPC personnel in order to ascertain that the.McGuire and Catawba SPDS designs are identical. Specificfindingswere(documented in an audit report (Ref. 2).
Based on the above review, the staff concludes that the Mcduire SPDS does not fully meet the applicable provisions of Supplements 1 to 1 s: -
NUREG-0737. However, since the staff did not identify any serious safety concerns with the existing system, the McGuire SPDS may be operated as an interim implementation until the open issues identified herein are resolved.
III A. SPDS DESCRIPTION
~
The McGuire SPDS is essentially a software implementation on the existing plant process computer. The SPDS displays are presented on cathode-ray tubes (CRTs) that are an integrated part of the control 1' room. Operator access to displays is through the existing keyboards that are also used for accessing other plant programs and displays. The capability for continuous monitoring of plant safety status is provided
~;.
, in the form of six critical safety function blocks displayed at the
~
bottom of the " alarm video", a CRT centrally located on the main control board. In addition, the critical safety function blocks may be
- , displayed on two other CRTs that are available in the control room.
B. PARAMETER SELECTION Section 4.1.(f) of Supplement 1 to NUREG-0737 states that:
"The minimum information to be provided shall be sufficient to provide information to plant operators about: -
(1) Peactivity Control i; (ii) Reactor core cooling and heat removal f'r'om the primary system
(iii) Reactor coolant system integrity (iv) Radioactivity control ', {J., .
(v) Containment conditions." ~.
For review purposes, these five items have been designated as Critical Safety Functions.*
o-In the evaluation of the SPDS, the staff has considered the Westinghouse Owners Group's, " Westinghouse Emergency Response Guidelines (ERGS)
~
Program," which was reviewed and approved by the staff (Reference 9), as t.
I a principal technical source of variables important to operational
- safety. The SPDS variables selected by the licensee and their coordination with the CSFs are summarized in Reference 1.
~..
The staff has reviewed the applicant's Safety Analysis Report on the McGuire SPDS. Although the variables selected do comprise a generally
_ comprehensive list, the following important variables are not proposed for the McGuire SPDS.
- 1. Hot Leg Temperature
- 2. RHR Flow Rate
- 3. Stack Monitor
- 4. Steam Generator (or steamline) Radiation .,
- 5. Containment Isolation b t-
- The staff notes that the Catawba /McGuire SPDS design is based on the six critical safety functions defined by the Westinghouse Owners' Group rather than the five critical safety functions defined in Supplement I to NUREG-0737.
~
Hot leg temperature is a key indicator used in the ERGS (Revision 1, "ES-0.1, Attachment A," " Generic Instrumentation," page 3') "o i determine
- 1 7:'
the viability of natural circulation as a mode of heat remo_ val.
Reference 1 indicates "NC System temperature" as a proposed variable, but does not specify hot leg temperature.
During RHR and ECCS modes of cooling when steam generators are not o-available, RHR flow is a key indicator to monitor the viability of the
~~
heat removal system. Steamline (or steam generator) radiation, in conjunction with containment radiation and reactor stack radiation, gives y a rapid assessment of radiation status for the most likely radioactive .
release paths to accomplish the " Radioactivity Control" safety function.
For a rapid assessment of Radioactivity Control, the licensee has not demonstrated how radiation in the secondary system (steam generators and
-e.
- steamlines) is monitored by SPDS when the steam generators and/or their
~
steamlines are isolated.
5, Containment isolation is an important parameter for use in making a rapid assessment of " Containment Conditions." In particular, a determination that known process pathways through containment have been secured provides significant additional assurance of containment integrity.
E.
Theabovevariablesdo,forgivenscenarios,provideuniquei;inputsto 7
the determinations of status for their respective CSFs, whihh have not been discussed by the ifcensee as being satisfied by other ,k,ariables in
- p. --
the proposed McGuire SPDS list. The licensee should address these variables and their functions by: (1) adding the variables to the SPDS, or (2) providing alternate added variables along with justifications that these alternates accomplish the same safety functions for all scenarios.
o-
~~
Based on this review of the licensee supporting analysis, and the observation that the selected variables appear to be consistent with the t.
I Westinghouse Owners Group ERGS, the staff finds the proposed list of key variables to be generally acceptable, with exceptions noted above.
,,,, Finally, design flexibility should be provided for possible future expansion of the SPDS. For example, with consideration of the Westinghouse Owners Group ERGS and with possible amendments to the ERGS, other key variables may be identified to assess the safety status of the e- CSFs.
C. DISPLAY DATA VALIDATION The staff reviewed the licensee's submittals to determine that means are provided in the design to assure that the data displayed are valid.
O*
5'.
r-
~~
The method of data validation currently used in the McGuire. SPDS is
~
range / status checking supplemented by redundant sensor logik if more-1 *::-
than one sensor is available. , ;-
Each computer analog input is continuously monitored for over and under range conditions, scan lockout, and out of service status. Digital input power fuses are also monitored. When an input involving a o-function becomes invalid (blown fuse, over/under range, out of service,
~~
etc.) but the CSF status can still be determined from the remaining inputs, an alarm indicating an invalid input for the particular function t.
T affected is displayed. If the invalid input affects the determination -
of the status, the affected CSF block changes to magenta indicating an indeterminate condition and remains in this state until the invalid input can be corrected or until the input is locked out to a known valid value or status.
The staff finds this method to be acceptable as an interim measure based e- on the fact that Duke Power is involved in an Electric Power Research Institute (EPRI) project investigating signal validation techniques and is committed to evaluating the results of that program (EPRI Project RP-2292-1,"ValidationandIntegrationofPWRSignals")toimprovethe current data validation methodology, if feasible.
8 i.'
l J
Information Needed for Confirmatory Review l.
A description of the improvements to the current data vafida'; tion __
methodology should be submitted to the staff when the licensee has finalized the data validation methodology, i.e. incorporated appropriate techniques from the EPRI study. This information should be submitted no later that August 1, 1987. .
c-D. HUMAN FACTORS PROGRAM The staff evaluated the Duke Power submittals for a commitment to a Human Factors Program in the development of the SPDS. I' DPC has attempted to incorporate good human engineering principles into the McGuire SPDS design at several points in the design process.
~.
- Initially, when the design was conceptualized in early 1982, the design
~
basis was independently reviewed by an EPRI staff member with experience in SPDS design. Since the design logic is based on the status trees of
- ., the Westinghouse ERGS, it also benefitted from the Westinghouse human factors input, albeit indirectly.
However, the bulk of the human factors input was derived from coordination with the Duke Power Company (DPC) efforts on the Detailed
Control Room Design Review (DCRDR). During the SPDS development
- the control room review team conducted a tash analysis using 'a hiockup and 5 s :-
color slides of proposed SPDS displays. The analysis alsu. examined the order and format of supporting (non-SPDS) displays, their usability, and ability to support operator tasks as defined in the Westinghouse ERGS. After implementation the control room review team surveyed the computer displays including SPDS using a check-list that was derived O'
from NUREG-0700. Areas of review included color usage, glare, labels,
~~
keyboard arrangement, and other human factors issues. In addition, operator comments were solicited as part of the Operating Experience t.
- Review phase of the DCRDR. -
The staff identified no significant deviations from good human engineering practice in the SPDS displays or interface devices, s.
- However,.the staff did identify a significant problem in the content of-
~
the SPDS displays. As presently defined by DPC the scope of the McGuire SPDS encompasses only the six color blocks that are intended to represent !
A the status of the critical safety functions. DPC does not consider any of the supporting displays such as the Emergency Operating Procedure status tree displays and input display lists to be a part of SPDS.
Given this limited scope, the staff concludes that the critical safety
- Development of both the Catawba SPDS and the McGuire SPDS waY actually doneontheMcGuireplant-theCatawbaandMcGuireSPDSsaf(e conceptually and programmatically identical.
~.
?. .
f .l ,
function (CSF) color blocks do not provide sufficient infoYhation from which an operator can ak'sess the safety status of the p1a,nt First, the s ;
CSF color blocks do not include as inputs all of the variables judged by the staff to be necessary for assessment of the critical safety functions (see Section III.B of this report). The staff requires that the variables listed below be added to the McGuire SPDS:
E*
- 1. Hot Leg Temperature
~~
- 2. RHR Flow Rate
- 3. Stack Monitor t-T 4. Steam Generator (or steamline) Radiation *
- 5. Containment Isolation Secondly, since the color blocks do not provide the actual value of the input variables, the operator cannot determine either the current state cf a variable or its trend. It is also impossible to determine which variable is in alarm using the McGuire SPDS, i.e. the CSF color blocks.
A- Therefore, in addition to providing tre variables discussed above as input to the CSF color blocks, the McGuire SPDS should be redesigned / defined to include the actual value of all of the SPDS input s variables as well as the five additional variables discussed above.
These actual values should be provided on easily accessible, logically groupeddisplayssimilartothosenowdefinedassupportingsdisplays, e.g. status tree displays, CSF input list displays. t; l
l l
i
F
~
E. ELECTRICAL AND ELECTRONIC ISOLATION TheSPDSatMcGuireisasoftwareimplementationontheope)atoraid computer (0AC) system. TheOAChasbothClassIEandnoN-C$hssIE sensor inputs. The Class IE inputs are isolated from the OAC by qualified isolation amplifiers, Westinghouse series 7300, that were reviewed and accepted by the staff in the following documents: (1)
WCAP-8892-A " Westinghouse 7300 Series Process Control System Noise Tests," June 1977, (2) NRC letter, R. Tedesco to C. Eicheldinger, Westinghouse Electric Company, April 20, 1977. The only exception to
. this configuration is the interface between the high range containment radiation channels and the SPDS - these are isolated using E-MAX l' devices.
The E-MAX devices were subjected to dielectric and transverse mode w.
, tests. The dielectric test.was performed using 2500V RMS applied to the
~
input and output connections. The device passed this test satisfactorily with no breakdown of the dielectric. For the transverse g mode test the maximum credible fault was determined to be 120 VAC
~
limited to 20 amperes.
This fault voltage was applied across the plus and minus outputs of the device. The device was energized in the normal fashion with separate sources and a storage type oscilloscope (scope) was connectp to the input to detect any propagation of the fault to the input siignal circuitry. The pass / fail criteria for the transverse mode Yest was that
upon application of the fault to the output circuitry (non-Class IE side)theinputcircuitry(ClassIEside)mustsustain'nodfm,ageandthe 2 e fault should not propagate to the input. - .;
Upon the application of the fault, the input circuitry scope recorded a 147 millivolt (mv) spike of a few milliseconds duration. This low voltage spike was attributed to noise being generated as the output B*
circuit components were being destroyed. The noise spike was not
~~
detrimental to the input circuit.
I Based on an audit of the above documentation on isolation amplifiers and the E-MAX isolators, the topical report, and the previous staff approval of this report, the staff concludes that these devices are acceptable for interfacing the OAC/SPDS with safety-related systems, and that this equipment meets the Commission's requirements as stated in NUREG-0737, Supplement No. 1.
A- V. CONCLUSIONS Based on its documentation review and information gathered at the Catawba audit, the staff concludes that the McGuire Safety Parameter Display System does not fully meet the applicable requirements of Supplement 1 to NUREG-0737. This conclusion is based on the following:
O e
The variables included in the SPDS are not sufficient to provide theminimuminformationrequiredtoassessthecriticaNsafety ~
- 1 y:-
functions. In addition, the SPDS variables are not-dj. splayed for operator viewing - only alarm boxes are displayed.
In order to resolve this deficiency, DPC should add five additional variables to the SPDS -
~~
Hot Leg Temperature RHR Flow Rate
.a ..
17 Stack Monitor
- Steam Generator (or Steamline) Radiation Containment Isolation Status.
~
- In addition, all SPDS variables including the five listed above should be displayed for operator viewing. These displays should be logica7.ly grouped and easily accessible.
+,
Because the staff did not identify any serious safety questions-concerning the McGuire SPDS, the staff concludes that it is acceptable as an interim implementation and may be used until the open items identified above have been resolved.
E.
l-1 I
f
F REFERENCES
~
- 1. Letter from H. B. Tucker (DPC) to H. R. Denton (NRC) dated March 29, 1984, forwarding Revision 4 to DPC response to Supplement lyto NUREG-0737 (SPDS Safety Analysis included as Section 4).' ( .
- 2. Letter from E. G. Adensam (NRC) to H. B. Tucker (DPC) daiedi September 10,1985, forwarding results of the staff's audit'of SPDS conducted May 13-15, 1985.
- 3. Letter from E. G. Adensam (NRC) to H. B. Tucker (DPC) dated August 28, 1984.
- 4. Letter from H. 3. Tucker (DPC) to H. R. Denton (NRC) dated November 2, 1984.
- 5. Letter from E. G. idensam (NRC) to H. B. Tucker (DPC) dated December 19, 1984, forwarding a cequest for information.
- 6. Letter from H. B.~Tu:ker (DPC) to H. R. Denton (NRC) dated November 27,
. 1985, forwarding resjonses to NRC letters dated September 10, 1985 and October 31, 1985, and November 7, 1985. ,,
__ 7. Teleconference between K. Jabbour, G. Lapinsky, F. Orr (NRC) and R. Sharp, et al (DPC), December 11, 1985.
- 8. Teleconference between K. Jabbour, G. Lapinsky, F. Orr (NRC) and R. Sharp, et al (DPC), December 18, 1985.
-c- 9. Safety Evaluation of " Emergency Response Guidelines," Generic Letter
, 83-22, June 8, 1983.
~
- 10. Letter from E. Adensam (NRC) to H. B. Tucker (DPC) dated May 15, 1985.
- 11. Letter from H. B. Tucker (DPC) to H. Denton (NRC) dated August 13, 1985.
,, 12. Letter from E. Adensam (NRC) to H. B. Tucker (DPC) dated November 7, 1985. ,
- 13. Letter from H. B. Tucker (DPC) to H. Denton dated February 8,1985.
h t
w _ _ _ _ _ _ _ _