ML20137Y176

From kanterella
Jump to navigation Jump to search
SER Accepting SPDS for Interim Implementation Until Listed Open Items Resolved
ML20137Y176
Person / Time
Site: Mcguire, McGuire  Duke Energy icon.png
Issue date: 02/28/1986
From:
Office of Nuclear Reactor Regulation
To:
Shared Package
ML20137Y168 List:
References
NUDOCS 8603120183
Download: ML20137Y176 (16)
v  d  e


Text

_ ._.

ENCLOSURE SAFETY EVALUATION REPORT FOR THE MCGUIRE NUCLEAR STATION, UNITS 1 AND 2 SAFETY PARAMETER DISPLAY SYSTEM

!. INTRODUCTION All holders of operating licenses issued by the Nuclear Regulatory Commission (licensees) and applicants for an operating license (OL) must provide a Safety Parameter Display System (SPDS) in the control room of their plant. The Comission approved requirements for the SPDS are defined in Supplement 1 to NUREG-0737.

The purpose of the SPDS is to provide a concise display of critical plant variables to control room operators to aid them in rapidly and reliably determining the safety status of the plant. NUREG-0737, Supplement 1, requires licensees and applicants to prepare a written safety analysis describing the basis on which the selected parameters are sufficient to assess the safety status of each identified function for a wide range of events, which include symptoms of severe accidents.

Licensees and applicants shall also prepare an Implementation Plan for the SPDS which contains schedules for design, development, installation, and full operation of the SPDS as well as a design Verification and

! ge

l I

. 1 I

t i l

Validation (V&V) Plan. The Safety Analysis and the implementation Plan are to be submitted to the NRC for staff revieh;. The results from the staff's review are to be p'ublished in a Safety Evaluation Report (SER).

l w

SUMMARY

l Duke Power Company (DPC or licensee) submitted, for staff review, documentation regarding the SPDS for McGuire Nuclear Station (Ref. 1).

The staff requested further inforration from the licensee on August 28, l

l 1984 (Ref. 3). The licensee responded in a letter dated November 2, 1984 (Ref. 4). Subsequent requests for information were issued on December 19, 1984 (Ref 5) and May 15, 1985 (Ref. 10). The licensee I

l responded to these requests for information in its letters dated ,

I February 8,1985 (Ref.13) and August 13,1985(Ref.11). A final staff request dated November 7, 1985, (Ref. 12) was responded to by -

DPC on November 27, 1985 (Ref. 6). Clarification of DPC positions ,

regarding parameter selection and the scope of SPDS was obtained in

\

teleconferences on December 11 and 18, 1985 (Ref. 7 and 8).

j l Since the SPDS developed by DPC is being implemented in identical fonn at both the Catawba Station and the McGuire Station, the staff combined _

some aspects of the Catawba and McGuire reviews. For instance, an 4 on-site Design Verification / Validation Audit of the Catawba Station was conducted on May 13-15, 1985. Included in the audit was a visit to the McGuire simulator. In addition, the staff spent some additional time in discussionwithDPQpersonnelinordertoascertainthattheMcGuireand Catawba SPDS designs are identical. Specific findings were documented in an audit report (Ref. 2).

(

-_.-._______n________. _ _ _ _

l Based on the above review, the staff concludes that the McGuire SPDS 1 does not fully meet the applicable provisions of Supplement 1 to NUREG-0737. However, since the staff did not identify any serious safety concerns with the existing system, the McGuire SPDS may be operated as an interim implementation until the open issues identified herein are resolved.

!!! A. SPDS DESCRIPTION The McGuire SPDS is essentially a software implementation on the existing plant process computer. The SPDS displays are presented on cathode-ray tubes (CRTs) that are an integrated part of the control room. Operator access to displays is through the existing keyboards that are also used for accessing other plant programs and displays. The capability for continuous monitoring of plant safety status is provided in the fom of six critical safety function blocks displayed at the bottom of the " alarm video", a CRT centrally located on the main control board. In addition, the critical safety function biceks may be displayed on two other CRTs that are available in the control room.

B. PARAMETER SELECTION Section 4.1.(f) of Supplement I to NUREG-0737 states that:

"The minimum information to be provided shall be sufficient to provide information to plant operators about:

(i) Reactivity Control (ii) Reactor core cooling and heat rennval from the primary system.

(iii) Reactor coolant system integrity (iv) Radioactivity control (v) Containment conditions."

For review purposes, these five items have been designated as Critical Safety Functions (CSFs).*

In the evaluation of the SPDS, the staff has considered the Westinghouse Owners Group's, "Festinghouse Emergency Response Guidelines (ERGS)

Program," which was reviewed and approved by the staff (Reference 9), as a principal technical source of variables important to operational safety. The SPDS variables selected by the licensee and their coordination with the CSFs are summarized in Reference 1.

The staff has reviewed the applicant's Safety Analysis Report on the McGuire SPDS. Although .the variables selected do comprise a generally comprehensive list, the following important variables are not proposed for the McGuire SPDS.

1. Hot Leg Temperature
2. RHR Flow Rate
3. Stack Monitor 4 Steam Generator (or steamline) Radiation
5. Containment Isolation The staff notes that the Catawba /McGuire SPDS design is based on the six critical safety functions defined by the Westinghouse Owners' Group rather than the five critical safety functions defined in Supplement 1 to NUREG-0737.

Hot leg temperature is a key indicator used in the ERGS (Revision 1, "ES-0.1, Attachment A," " Generic Instrumentation," page 3) to determine the viability of natural circulation as a mode of heat removal.

Reference 1 indicates "NC System temperature" as a proposed variable, but does not specify hot leg temperature. In its most recent submittal (Ref. 6) the licensee states that wide range hot leg RTDs are utilized as inputs to monitor subcooling. The staff finds this position un-acceptable because specific, actual values are not displayed. It is the staff's opinion that the current value of hot leg temperature must be displayed in order for an operator to accurately assess whether natural circulation can be initiated and maintained as a mode of heat removal.

During RHR and ECCS modes of cooling when steam generators-are not available, RHR flow is a key indicator to monitor the viability of the heat removal system. Steamline (or steam generator) radiation, in conjunction with containment radiation and reactor stack radiation, gives a rapid assessment of radiation status for the most likely radioactive release paths to accomplish the " Radioactivity Control" safety function.

For a rapid assessment of radioactivity control, the licensee has not demonstrated how radiation in the secondary system '(steam generators and steamlines) is monitored by SPDS when the steam generators and/or their steamlines are isolated. In Reference 6 the licensee states that loss of RHR flow will result in a loss of RCS inventory and a reduction in core cooling. Although this may be true, it does not address the staff's concern, i.e., the viability of the heat transfer process (rather than the effects of that process). Nor did the licensee's response address

the staff's concern about monitoring radiation release paths, in particular the status of the steam lines and steam generators. DPC has limited its discussions about SPDS to actions in plant emergency procedures. Supplement I to NUREG-0737 calls for the SPDS to be avail-able for continuous assessment of plant safety status during nonnal, abnormal, and emergency conditions. It also calls for information to be provided relevant to radioactivity control. Since the McGuire SPDS does not provide some measure of steam generator radiation, the staff concludes that these provisions of Supplement 1 have not been fully satisfied. For example, if after a steam generator tube rupture incident, it was deemed necessary to no longer isolate the faulted steam generator, it appears unlikely that the operator could assess the SG radiation status to ascertain the advisability of such action and determine the appropriate disposition of SG fluid.

Containment isolation is an important parameter for use in making a rapid assessment of " Containment Conditions." In particular, a determination that known process pathways through containment have been secured provides significant additional assurance of containment integrity. In its response to the staff's questions on this subject (Ref. 6), the licensee stated that the status of containment isolation can be verified at any time by checking the monitor light panels in the control room. The staff finds this reasoning unacceptable.

Assumedly, most important variables that are displayed on the SPDS are also displayed and verifiable on existing control panels. This should 1

l l

be true if the design basis of the control room was comprehensive and correct. The SPDS is not intended to replace control room indications; it is intended to gather together important indications so that they can be observed concurrently in a concise display. The monitor light panels referred to in the licensee's response do not provide this capability.

The above variables do, for given scenarios, provide unique inputs to the determinations of status for their respective CSFs, which have not been discussed by the licensee as being satisfied by other variables in the proposed McGuire SPDS list. The licensee should address these variables and their functions by: (1) adding the variables to the SPDS, or (2) providing alternate added variables along with justifications that these alternates accomplish the same safety functions for all scenarios.

Based on this review of the licensee supporting analysis, and the observation that the selected variables appear to be consistent with the Westinghouse Owners Group ERGS, the staff finds the proposed list of key variables to be generally acceptable, with exceptions noted above.

Finally, design flexibility should be provided for possible future expansion of the SPDS. For example, with consideration of the Westinghouse Owners Group ERGS and with possible amendments to the ERGS, other key variables may be identified to assess the safety status of the CSFs.

C. DISPLAY DATA VALIDATION The staff reviewed the licensee's submittals to determine that means are provided in the design to assure that the data displayed are valid.

The method of data validation currently used in the McGuire SPDS is range / status checking supplemented by redundant sensor logic if more than one sensor is available.

Each computer analog input is continuously monitored for over and under range conditions, scan lockout, and out of service status. Digital

. input power fuses are also monitored. When an input involving a function becomes invalid (blown fuse, over/under range, out of service, etc.) but the CSF status can still be determined from the remaining inputs, an alarm indicating an invalid input for the particular function affected is displayed. If the invalid input affects the determination of the status, the affected CSF block changes to magenta indicating an indeterminate condition and remains in this state until the invalid input can be corrected or until the input is locked out to a known valid value or status.

The staff finds this method to be acceptable as an interim measure based on the fact that Duke Power is involved in an Electric Power Research Institute (EPRI) project investigating signal validation techniques and

is committed to evaluating the results of that program (EPRI Project RP-2292-1, " Validation and Integration of PWR Signals") to improve the current data validation methodology, if feasible.

Information Needed for Confirmatory Review A description of the improvements to the current data validation methodology should be submitted to the staff when the licensee has finalized the data validation methodology, i.e. incorporated appropriate techniques from the EPRI study. This information should be submitted no later that August 1, 1987.

D. HUMAN FACTORS PROGRAM The staff evaluated the Duke Power submittals for a commitment to a Human Factors Program in the development of.the SPDS.

DPC has attempted to incorporate good human engineering principles into the McGuire SPDS design at several points in the design process.

Initially, when the design was conceptualized in early 1982, the design basis was independently reviewed by an EPRI staff member with experience in SPDS design. Since the design logic is based on the status trees of the Westinghouse ERGS, it also benefitted from the Westinghouse human factors. input, albeit indirectly. I However, the bulk of the human factors input was derived from coordination with the Duke Power Company efforts on the Detailed Control

Room Design Review (DCRDR). During the SPDS development

  • the control room review team conducted a task analysis using a mockup and color slides of proposed SPDS displays. The analysis also examined the order and format of supporting (non-SPDS) displays, their useability, and ability to support operator tasks as defined in the Westinghouse ERGS.

After implementation the control room review team surveyed the computer displays including SPDS using a check-list that was derived from NUREG-0700. Areas of review included color usage, slare, labels, key-board arrangement, and other human factors issues. In addition, operator comments were solicited as part of the Operating Experience Review phase of the DCRDR.

The staff identified no significant deviations from good human engineering practice in the SPDS displays or interface devices.

However, the staff did identify a significant problem in the content of the SPDS displays. As presently defined by DPC the scope of the McGuire SPDS encompasses only the six color blocks that are intended to represent the status of the critical safety functions. DPC does not consider any of the supporting displays such as the Emergency Operating Procedure status tree displays and input display lists to be a part of SPDS.

i Given this limited scope, the staff concludes that the CSF color blocks

  • Development of both the Catawba SPDS and the McGuire SPDS was actually done on the McGuire plant - the Catawba and McGuire SPDSs are conceptually and programmatically identical.

_ 11 _

do not provide sufficient information from which an operator can assess the safety status of the plant. First, the CSF color blocks do not in-clude as inputs all of the variables judged by the staff to be necessary for assessment of the CSFs (see Section III.B of this report). The staff requires that the variables listed below be added to the McGuire SPDS:

1. Hot Leg Temperature
2. RHR Flow Rate
3. Stack Monitor 4 Steam Generator (or steamline) Radiation
5. Containment Isol eton Secondly, since the color blocks do not provide the actual value of the input variables, the operator cannot determine either the current state of a variable or its trend. It is also impossible to detennine which variable is in alarm using the McGuire SPDS, i.e. the CSF color blocks.

Therefore, in addition to providing the variables discussed above as input to the CSF color blocks, the'McGuire SPOS should be redesigned / defined to include the actual value of all of the SPOS input variables as well as the five additional variables discussed above.

These actual values should be provided on easily accessible, logically grouped displays similar to those now defined as supporting displays, e.g. status tree displays, CSF input list displays.

~

E. ELECTRICAL AND ELECTRONIC ISOLATION The SPDS at McGuire is a software implementation on the operator aid computer (OAC) system. The OAC has both Class 1E and non-Class 1E sensor inputs. The Class IE inputs are isolated from the-0AC by qualified isolation amplifiers, Westinghouse series 7300, that were reviewed and accepted by the staff in the following documents: (1)

WCAP-8892-A " Westinghouse 7300 Series Process Control System Noise Tests," June 1977, (2) NRC letter, R. Tedesco to C. Eicheldinger, Westinghouse Electric Company, April 20, 1977. The only exception ~to this configuration is the interface between the high range containment radiation channels and the SPDS - these are isolated using E-MAX devices.

The E-MAX devices were subjected to dielectric and transverse mode tests. The dielectric test was performed using 2500V RMS applied to the input and output connections. The device passed this test satisfactorily with no breakdown of the dielectric. For the transverse mode test the maximum credible fault was determined to be 120 VAC limited to 20 amperes.

This fault voltage was applied across the plus and minus outputs of the device. The device was energized in the normal fashion with separate sources and a storage type oscilloscope vas connected to the input to detect any propagation of the fault to tha input signal circuitry. The pass / fail criteria for the transverse mode test was that upon application

of the fault to the output circuitry (non-Class 1E side) the input-

. circuitry (Class IE side) must sustain no damage and the fault should not propagate to the input.

Upon the application of the fault, the input circuitry oscilloscope re-corded a 147 millivolt (mv) spike of a few milliseconds duration. This low voltage spike was attributed to-noise being generated as the o'utput circuit components were being destroyed. The noise spike was not detrimental to the input circuit.

i Based on an audit of the above documentation on isolation amplifiers and the E-MAX isolators, the topical report, and the previous staff approval of this report, the staff concludes that these devices are acceptable for interfacing the OAC/SPDS with safety-related systems, and that this equipment meets the Commission's requirements as stated in NUREG-0737, Supplement No. 1.

V. CONCLUSinNS Based or. its documentation review and information gathered at the Catawba audit, the staff concludes that the McGuire Safety Parameter Display System does not fully meet the applicable requirements of Supplement I to NUREG-0737. This conclusion is based on the following:

j The variables included in the SPDS are not sufficient to provide the minimum information required to assess the critical safety 4

functions. In addition, the SPDS variables are not displayed for operator viewing - only alarm boxes are displayed.

In order to resolve this deficiency, DPC should add five additional variables to the SPDS -

Hot Leg Temperature RHR Flow Rate

-Stack Monitor Steam Generator (or Steamline) Radiation Centainment Isolation Status.

In addition, all SPDS variables including the five listed above should be displayed for operator viewing. These displays should be logically grouped and easily accessible.

Because the staff did not identify any serious safety questions concerning the McGuire SPDS, the staff concludes that it is acceptable as an interim implementation and may be used until the open items identified above have been resolved.

REFERENCES

1. Letter from H.'B. Tucker (DPC) to H. R. Denton (NRC) dated March 29, 1984, forwarding Revision 4 to DPC response to Supplement 1 to NUREG-0737 (SPDS Safety Analysis included as Section 4).
2. Letter from E. G. Adensam (NRC) to H. B. Tucker (DPC) dated

' September 10,1985, forwarding results of the staff's audit of SPDS conducted May 13-15, 1985.

3. Letter from E. G. Adensam (NRC) to H. B. Tucker (DPC) dated August 28, 1984
4. Letter from H. B. Tucker (DPC) to H. R. Denton (NRC) dated November 2, 1984.
5. Letter from E. G. Adensam (NRC) to H. B. Tucker (DPC) dated December 19, 1984,' forwarding a request for information.
6. Letter from H. B. Tucker (DPC) to H. R. Denton (NRC) dated November 27, 1985, forwarding responses to NRC letters dated September 10, 1985 and October 31, 1985, and November 7, 1985.
7. Teleconference between K. Jabbour, G. Lapinsky, F. Orr (NRC) and R. Sharp, et al (DPC), December 11, 1985.
8. Teleconference between K. Jaobour, G. Lapinsky, F. Orr (NRC) and R. Sharp, et al (DPC), December 18, 1985.
9. Safety Evaluation of "?nergency Response Guidelines," Generic Letter 83-22, June 8, 1983.
10. Letter from E. Adensam (NRC) to H. B. Tucker (DPC) dated May 15, 1985.
11. Letter from H. B. Tucker (DPC) to H. Denton (NR.C) dated August 13, 1985.
12. Letter from E. Adensam (NRC) to H. B. Tucker (DPC) dated November 7, 1985,
13. Letter from H. B. Tucker (DPC) to H. Denton dated February 8,1985.

Mr. H. B. Tucker Duke Power Company McGuire Nuclear Station cc:

Mr. A. Carr Dr. John M. Barry Duke Power Company Department of Environmental Health P. O. Box 33189 Mecklenburg County 422 South Church Street 1200 Blythe Boulevard Charlotte, North Carolina 28242 Charlotte, North Carolina 28203 Mr. F. J. Twogood County Manager of Mecklenburg County Power Systems Division 720 East Fourth Street Westinghouse Electric Corp. Charlotte, North Carolina 28202 P. O. Box 355 Pittsburgh, Pennsylvania 15230 Chairman, North Carolina Utilities Commission Mr. Robert Gill Dobbs Building Duke Power Company 430 North Salisbury Street Nuclear Production Department Raleigh, North Carclina 27602 P. O. Box 33189 Charlotte, North Carolina 28242 Mr. Dayne H. Brown, Chief Radiation Protection Branch J. Michael McGarry, III, Esq. Division of Facility Services Bishop, Liberman, Cook, Purcell Department of Human Resources and Reynolds P.O. Box 12200 1200 Seventeenth Street, N.W. Raleigh, North Carolina 27605 Washington, D. C. 20036 Senior Resident Inspector c/o U.S. Nuclear Regulatory Comission Route 4, Box 529 Hunterville, North Carolina 28078 Regional Administrator, Region II U.S. Nuclear Pegulatory Comission, 101 Marietta Street, N.W., Suite 2900 Atlanta, Georgia 30323 L. L. Williams Operating Plants Projects Regional Manager Westinghouse Electric Corporation - R&D 701 P. O. Box 2728 Pittsburgh, Pennsylvania 15230

_

Retrieved from "https://kanterella.com/w/index.php?title=ML20137Y176&oldid=3371125"