ML20138B583
| ML20138B583 | |
| Person / Time | |
|---|---|
| Site: | Millstone  |
| Issue date: | 09/17/1985 |
| From: | Johnson G LAWRENCE LIVERMORE NATIONAL LABORATORY |
| To: | |
| Shared Package | |
| ML20138B591 | List: |
| References | |
| NUDOCS 8510160297 | |
| Download: ML20138B583 (18) | |
Text
.
AUDIT OF THE SAFETY PARAMETER DISPLAY SYSTEM FOR
., NORTHEAST ITTILITIES HILLSTONE UNIT 3 SEPTEMBER 17, 1985 Gary L. Johnson Wallace O. Wade Lawrence Liversore National Laboratory i For The
- United States i Nuclear Regulatory Commission .
ee 9
5 l ,
1 ,
%5\D % Q - T ) Y
. AUDIT OF THE SAFETY PARAMETER DISPLAY SYSTEM ,
FOR WORTHEAST UTILITIES !
i MILLSTONE UNIT 3
1.0 INTRODUCTION
On July 29 and 30,1985 a audit of the P e h'^6e'!*dt J Safety Parameter Display System (SPDS) was conducted by t <fRS- 3h)K RC audit examined the Millstone 3 Verification and Validation. "" wx e.d reviewed the operation of the SPDS. Thus the audit specif1'cally $ddressed the points of both a Design Verification Audit and a Design Validation Audit as described by Section 18.2 of NUREG-0800 [2]. The audit team was composed of one individual from the Nuclear Regulatory Commission Human Factors Engineering-Branch and two individuals from the Lawrence Livermore National Laboratory acting as consultants to.the NRC.
The audit was based upon the recommended criteria of NUREG-0800 Section -
18.2. In accordance with that guidance, up to three separate audit meetings / site visits, as described below, may be arranged.
Design Verification Audit. The purpose of this audit meeting is to obtain additional information required to resolve any outstanding questions about the V&V program, to confirm that the V&V program is being correctly laplemented, and to audit the results of the V&V activities to date. At this meeting, the applicant should provide a thorough description of the SPDS design process.
Emphasis should be placed on how the applicant is assuring that the implemented SPDS will: provide appropriate parameters, be isolated from safety systems, provide reliable and valid data, and incorporate good human engineering practice. To the extent dictated by the completeness of the V&V progran plan, the HFEB reviewer will arrange for participation of PSRB and ICSB reviewers at this nseting. .
Design Validation Audit. After review of all documentation, an audit may be conducted to review the as-built prototype or installed SPDS. The purpose of this audit is to assure that the results of the applicant / licensee's testing demonstrate that the SPDS seats the functional requirements of the design and to assure that the SPDS exhibits good human engineering practice.
Installation Audit. As necessary, final audit may be conducted at the site to ascertain that the SPDS has been installed in accordance 91th the applicant / licensee's plan and is functioning properly. A specific concern is that the data displayed reflect the sensor signal which sensures.the variable displayed. This audit will be coordinated with and may be condu'eted by the NRC Resident Inspector. *
- . I l
l
! )
Based on the advanced state of the Millstone 3 SPDS design, the NRC staff l 3
carried out a ocabined Design Verification and Design Validation audit at Northeast Utilities (NU) engineering offices and at the Millstone 3 plant site. .
During the course of this audit the NRC audit team discussed aspects of the l Millstone 3 SPDS program with (NU). Additionally, the Millstone 3 oontrol room and plant simulator were visited to ascertain the location.of SPDS displays in relation to plant control boards.
2.0 OVERVIEW s
The Safety Parameter Display System for Millstone Nuclear Power Station, Unit
' 3 is part of an Energency Response Information System (ERIS) that ooebines all plant process computer functions for seergency response tasks. The ERIS hardware consists of redundant MODCOMP 7870 computers that are fed by two
~
redundant pairs of MODCOMP 7840 computers acting as input controllers. These devices are all powered from uninterruptable power supplies. The ERIS hardwarc was in place befo e the SPDS requirements were defined.
The Critical Safety Functions (CSF's) selected for the SPDS are consistent !
with the Westinghouse Owner's Group - Emergency Response Guidelines from which the Millstone 3 Energency Operating Procedures (EOP's) and operator training -
program are being developed.
Millstone 3 uses two kinds of EOPs:
, o Event based optimal recovery procedures that are normally used when the operator can identify the event which has initiated emergency condition.
o Functionally based restoration guidelines that are used to aid the operator in maintaining critical safety functions when the event i
that has initiated the emergency condition can not be identified l - unambiguously.
The Millstone 3 SPDS is designed to assist the operator in implementing the ,
functional restoration guidelines (EOPs) by providing computer driven displays that show the current state of the Critical Safety Function Status Trees used
- by the guidelines. The SPDS at this time is not designed to provide the operator assistance with performing normal operations or with implementing the event based optimal recovery procedures.
?
l 4
3.0 VERIFICATION AND VALIDATION NU has committed tu perform a V&V program that conforms with the in;ent of '
NSAC/39, " Verification and Validation for Safety Parameter Display Systems" -
[33 At the time of the audit verification of the overall system requirements and sof tware design was complete. Sof tware validation testing had' been performed, but the review of test results needed to complete software validation was not finished. Because the Millstone 3 SPDS makes use of a plant computer system that was under design prior to the requirement for SPDS, hardware design verification and total validation of hardware design is not included in the scope of the SPDS V&V program. Nevertheless, system testing is planned to demonstrate overall functionality of the hardware and sof tware.
The Millstone 3 VaV program was implemented with the assistance of a SPDS V&V team. This team was made up of individuals not associated with the SPDS project and, for the most part, not associated with the Millstone 3 project.
The team developed overall V&V requirements for the SPDS in the form of a V&V plan [183. Actual V&V activities were conducted by NU Generation Engineering and Process Computer Engineering Departments in accordance with configuration control and design review procedures developed for the SPDS and reviewed by the V&V team. Implementation of these procedures was audited by the V&V team during the course of the SPDS development.
The audit team evalu'ated details of the Millstone 3 V6V program with respect -
to the recommendations of NSAC/39 during the audit. The observations and
~ -
ocnUlusions resulting from this evaluation are discussed below.
3.1 SYSTEM REQUIREMENTS REVIEW i NSAC/39 recommends that overall System requirements be reviewed for correctness, completeness, consistency, understandability, feasibility, testability and traceability, in order to verify that a possible and usable solution to the defined problem is being developed.
3 1.1 Audit Team Observations The Millstone 3 system requirements document is SP-EE-149A, ' Millstone Point Unit 3 safetI Parameter Display Systes runctional Specification" [83. An ,
independent review of the requirements was performed by NU in order to verify the specified system fulfills the requirements of NUREG-0737 Supplement 1 and conforms with the design guidance of NUREG-0800 Section 18. The Millstone 3
- SPDS parmaeters are identical to the parameters used by plant specific E0P restoration guidelines to evaluate safety status. Parameter selection was verified as part of the Emergency Operating Procedure (EOP) upgrade V&V program. Review of E0P V&V was not included in the NRC audit scope.
The audit team examined the documentation of the specification verification and confirmed that the verification scope addressed the provisions of NUREG-0737 Supplement 1 and the recommended design criteria of NUREG-0,800 Section 18.2. ,
l l
~
32 Design Review NSAC/39 recommends that design reviews be conducted to insurs that hardware and software specifications and detailed design completely implement the *
- System requirements.
3.2.1 Audit Team Observations As discussed above Millstone 3 SPDS hardware predated the SPDS requirement, therefore, hardware specifications and design documentation was not included in the SPDS V&V.
A software requirements document was developed for each portion of the SPDS sof tware that was developed by NU. These software requirements documents functionally defined the sof tware features to be implemented for the SPDS.
Software requirement documents ,were subject to a formal process of independent verification, approval, and revision control in accordance with the Process Computer Engineering (PCE) procedure, " Verification and Validation Procedures for Safety Parameter Display Systems" [19]. The scope of the independent reviews of the Software Requirements Documents included verification that I
stated the requirements:
o Support system design, development acceptance and operation. -
o - Support preparation of validation test procedures.
o Sufficiently define sof tware that solves the problem stated by the specification.
- Each requirement from the software requirements documents was expanded in
! software design specifications that describe the structure of the SPDS program modules and the sof tware design considerations imposed by system hardware.
' Software design specifications serve as the software design control documents for SPDS and were subject to approval, verification and revision control by
- the PCE V&V procedure. The design specification verification was structured t
t to assure that each software design specification thoroughly implements each requirement of the corresponding requirements document. .
The audit team selected sample requirements from the system specification and
- tracked their evolution through the software requirements documents and sof tware design specifications. Each of the audited system requirements appeared to be properly described in the software requirements documents and implemented via the sof tware design specifications. The audit team also verified that appropriate approvals and documentation of independent review existed for the documents examined.
I
?
S
--e - s-- _
- _n-- 4 L -
_ a L- *-
It was noted during the audit that the PCE V&V procedure allows changes to approved specifications and requirements documents without an independent verification review. NU indicated that this was identified as a deficiency.by an internal audit and that PCE will require independent review of future variances. Independent review will also be conducted for variances that have already been approved.
The process described above did not apply to one data validation routine that was written for NU by Babcock and Wilcox (B&W). NU stated however, that B&W employed a similar verification process and that the data validation routine was rigorously reviewed by NU as part of product acceptance. Validation of this routine was also conducted as part of PCEs software testing.
Unlike systes performance requirements, the audit team was unable to trace human factors requirements from the functional specification through the software design documentation. NU did, however, conduct an independent' human factors survey of SPDS displays and operation against the criteria contained in NUREG-0700 and NUREG-0800. .
3.3 validation Testing l
NSAC/39 recommends validation testing be conducted to demonstrate that the
- integrated SPDS meets the stated requirements. -
331 Audit Team Observations The Millstone 3 SPDS validation test program consists of three steps:
o Sof tware Module Testing, o Integrated System Acceptance Tests, c) Man-in-the-Loop Validation.
These steps are to be conducted sequentially.
A software test procedure was developed for each software module. These test procedures are intended to establish the steps necessary to test the major .
~
features of each software module against the software requirements documents and provide specific acceptance criteria for each module.
- Integrated system acceptance tests were defined to confirm the overall system fulfills the requirements of the system specification. Integrated testing is performed after all module tests are complete.
Both the module tests and the integrated tests are subject to the same approval, revision control and independent review as the software requirements documents and software design specifications. Independent revise of test procedures addressed verification thatt .
S l
~ . - - - - - _ - _ . - . ._
i o All requirements are fully tested.
o Tests are objective and repeatable. j o Tests produce hard copy evidence of test results.
The functional specification requirements selected for NRC audit were also tracked through to the test procedures. In each case the audit team verified that the testing plans would properly validate the requirement. Testing to validate the system's ability to meet response time specifications while operating under load was also examined. It appeared to the audit team that this testing did not establish the system response time under worst case system loading conditions.
- Man-in-the-loop validation testing is to be conducted by NU in the control
~
room prior to fuel load. 'This testing will exercise the SPDS through several accident scenarios recorded at the plant simulator. Four teams of licensed operators who,have been trained in the use of the SPDS will be run through each of these scenarios with the SPDS as the primary source of plant status information used to respond to the transients. During each exercise observations of operators' SPDS use will be recorded. At the completion of each exercise and at the completion of the entire progran questionnaires will be used to obtain operator opinions about the SPDS.
3.4 Field Verification Test ,
NSAC/39 recommends that field testing be conducted to verify and validate that the 5PDS has been properly installed.
' ~~ -
3.4.1 Audit Team Observations Since the Millstone 3 SPDS hardware is the plant process computer systes, field testing of the hardware is being conducted as part of the construction acceptance testing for this systems. Consequently hardware installation tests are not part of the Millstone 3 SPDS V&V program. In order to verify that the SPDS features of the plant oosputer system perform as designed, NU plans to repeat the SPDS Integrated System Tests after system installation and construction acceptance testing is oosplete.
35 Audit Team Assessment of the Verification and Validation Program .
The Verification and Validation program for the Millstone 3 SPDS requires complete, thorough and independent design reviews at each step of system development. Rigorous module testing is specified and a reasonable level of overall system testing is planned. In order to provide a more complete system test of the SPDS, NU should insure that system testing verifies that SPDS functions are processed within the times required by the functional specification when the process computer system is operating under the worst loading conditions expected. The loading conditions should include' non-SPDS uses of the computer.
-q.
At the time of the audit complete validation test results were not available for review. Summaries of the following test results should be provided to NRC to allow confirmation that critical SPDS functions have been successfully validated:
o Integrated System Tests, o Man-in-the-Loop Testing, !
o 100 Hour Availability Twst.
.g Summaries provided should discuss any deficiencies identified by the testing and provide the plan and schedule for resolving these deficiencies.
4.0 SPDS DESICM ASSESSMENT The audit team reviewed the Millstone 3 SPDS design with respect to provisions of Supplement 1 to NUREG-0737 and the specific criteria suggested by NdlEG-0800, Section 18.2,. A discussion of the design features relative to each requirement"and the corresponding audit team assessment is presented below.
4.1 "AN SPDS SHALL BE PROVIDED THAT IS LOCATED CONVENIENT TO CONTROL ROOM ~
OPERATORS."
4.13 Audit Team Observations -
~ '~
Access to SPDS displays is provided in four discrete locations in the control room for use by the plant operators. These four locations are:
i o The Engineered Safety Features (ESF) control panel.
o The Reactor Coolant System control panel.
o The auxiliary reactor operator's console.
l o A desk located in front of the ESF control panel.
~
The last location is designated for the shift Supervisor / Senior Reactor Operator, the primary SPDS user. The other locations acocemodate other
~
operators at their designated stations both at and away from the boards. Each display location provides independent access to the SPDS displays as well as other process computer information and displays can be different at each location.
.s o
l l
l
4.1.2 Audit Team Assessment The location of the Millstone 3 control room SPDS displays is acceptable.
l 4.2 "THE SPDS SHALL CONTINUO'USLY DISPLAY INFORMATION FROM WHICH THE SAFETY
- STATUS OF THE PLANT CAN BE READILY AND RELIABLY ASSESSED BY CONTROL ROOM PERSONNEL RESPONSIBLE FOR THE AVOIDANCE OF DEGRADED AND DAMAGED CORE EVENTS."
i 4.2.1 Audit Team Observations The primary SPDS display consists of color coded blocks along the buttom of
- s. the plant computer CRT display that show the status of each critical safety f unction. The operator may chose to suppress continuous display of these
' status blocks. In this case, however, the primary SPDS display is shown automatically and slaultaneously shown on all CRTs in the event of a CSF status change. ,
Secondary displays of supplementary information are available at each CRT and can be accessed via the SPDS keyboard to provide additional information for each CSF.
These displays are presented in a format that is similar but not identical to '
those, used by the Millstone 3 functional response guideline EOPs. The status trees (see Figure 1) show the EOP decision logic used by the computer to det'Wraine the status of each CSP. The branch points on these trees represent the comparison of a SPDS parameter against CSF evaluation criteria from the EOPs. The parameter value used for this comparison is displayed at the branch
, point. Evaluation of a CSF tree against the values of all SPDS parameters pertinent to the tree leads to an unambiguous conclusion about the status of l
that CSF. The evaluation path of the status tree display is highlighted in l
the color corresponding to the status of the CSF in question. The.same color ooding convention is used for the CSF status blocks and on the status trees in the Millstone 3 E0Ps. The color coding convention for all CSFs except radioactivity control is o Green - critical safety function is satisfied; o Yellow - critical safety function is not fully satisfied;
- o Orange - critical safety function is under severe challenge;
~
o Red - critical safety function is in jeopardy.
The status of the radioactivity Release function is similarly color coded and in a manner that corresponds to Emergency Action Levels identified in the Millstone 3 emergency plan.
?
D
)
- o Green - no abnormal releases o Yellow - releases . exceed unusual event criteria o Orange - releases exceed alert criteria ,
o Red - releases exceed site area emergency criteria Another set of displays capable of showing time history information for SPDS variables is a planned enhancement of the SPDS. NU has scheduled these displays to be available by the completion of the first refueling outage.
The parameter values used in the evaluation of the CSF status trees are developed from redundant instrumentation inputs via data validation algorithms that include the following features:
o Elimination of invalid inputs by:
o ignoring signals that arrive via malfunctioning input interfaces.
o ignoring inputs that read within 55 of the limits of the input instrument's calibrated range.
Synthesis of a single value for each parameter using a avera'ging o
process thats o eliminates readings which are not consistent with redundant inputs, o gives weight to narrow range channels.
The SPDS displays alert the operatar if any inputs are not used in the
' synthesis of a parameter value.
The operator may call up the reading of individual inputs input data on tertiary SPDS displays. These displays also identify the quality of each input. Four distinct quality levels are identified by this ayates:
~
Validated- Applies when redundant sensor signals or analytically derived i
variables are oospared within a specified error band, pass limit checking, and pass Pass / Fail;
~
Unvalidated- Applies when a sensor signal is correctly processed through Pass Fail but is not validated by comparison with another sensor (s) or analytically derived variables, or fails limit l checking; Invalid- Applies when a sensor signal fails Pass / Fail; ,
Substituted- Applies when a substituted value is used instead of the actual sensor signal. Substituted values are treated as invalid by the SPDS algorithms.
Data validation, status tree evaluation, and SPDS display updates. occur more rapidly than once every two seconds. System operability indication is provided by the current time indicated in the upper left hand corner of the display. The indicated time is incremented every second.
Availability analysis has been conducted for the Millstone 3 SPDS using manuf actures' component reliability data. This analysis indicates System hardware availability is expected to exceed 99.55 assuming an eight hour mean time to repair system failures.
4.2.2 Audit Team Assessment The Millstone-3 SPDS fulfi'.ls the need for a rapid display of reliable safety parameter information as outlined by Supplement 1 to NUREG-0737. In addition, the provision for either continuous display of status blocks or for automatic display upon a change in safety function status satisfies the intent of a continuous display feature.
There are, however..a number of items that warrant further action by Northeast _
Utilities:
' ~ ~
'o - NU aust establish a system that ensures SPDS displays and status trees remain consistent with the latest version of the plant E0Ps, o NU should consider making the wording on EOP status trees and the wording on SPDS displays identical.
o Operating history for the SPDS should be maintained to verify that actual experience is consistent with the availability predictions and as an aid in identifying hardware and sof tware modifications that would improve system availability.
, o NU should consider displaying synthesized parameter values on.
!, the tertiary displays which show the raw input data in order to l ,
assist the operator in comparison of raw versus reduced data.
I 43 "THE SPDS SHALL PROVIDE A CONCISE DISPLAY OF CRITICAL PLANT VARIABLES WHICH, AT A MINIMUM, SHALL BE SUFFICIENT TO PROVIDE INFORMATION TO PLANT OPERATORS ABOUT THE FOLLOWING CRITICAL SAFETY FUNCTIONS:
(i) REACTIVITY C0KTROL (ii) REACTOR CORE COOLING AND HEAT REMOYAL FROM THE PjtIMARY SYSTEM D
(iii) REACTOR C00 LANE SYSTEM INTEGRITY (iv) RADIOACTIVITY CONTROL (v) CONTAINMENT CONDITIONS ,
THE SPECIFIC PARAMETERS DISPLAYED SHALL BE DETERMINED BY THE APPLICANT."
4.31 Audit Team Observations The critical safety functions and SPDS parameter selected for Millstone 3 SPDS displays are consistent with the Westinghouse Owners Group Functional Restoration Guidelines. These are listed in the table below with the corresponding variables and the applicable CSF guideline from Supplemen.t 1 to NUREG-0737.
~
DISPLAY CSF VARIABLE (RJIDELINE CSF I. Suberiticality 1. Reactor trip signal (1)
- 2. Power level 3 Startup rate _
- 4. Source range energized II .- Core' Cooling
~ ~
- 1. Core exit temperature (ii)
- 2. RCS aubcooling 3 RV level III. Heat Sink 1. S/G 1evel -
- 2. Total FW flow rate
! 3. S/G pressure i IV. Integrity 1. Cooldown Rate -(111)
, V. Containnent 1. Containment pressure (iv), (v)
- 2. Containment level
- 3. Containment radiation
~
i VI. RCS Inventory 1. Pressurizer level (iii)
- 2. Reactor vessel level VII. Radiation Release 1. Main Steam Line Radiation (iv) a) main steam line radiation monitor b) steam generator safety valve status c) atmospheric dump valve st'atus d) auxiliary feedwater pump; radiation monitor .
l l
- 2. Effluent Radiation a) ventilation went gas monitor l i b) SLRCS radiation monitor The primary CRT display consists of a row of seven boxes indicating CSF status by the color code described in par. 4.2.1 above. Secondary and other displays can be quickly called by the operators so that they may determine the reasons for changes in the CSF status. Each secondary display includes the status tree and the variables applicable to that CSF. The variables displays incorporate a visual indication of the quality level for the data.
All CSF status trees except reactivity control, include branch decision points that accc ant for the current- plant operating mode as determined from the values of SPDA parameters. The reactivity control event tree is only evaluated by the SPDS after reactor trip. Therefore, anomalous indication of CSF status will not occur as a result of mode changes.
4.3 2 Audit Team Assessment The audit team concluded that the Millstone 3 SPDS provides a suitably concise display of the selected parameter set. Review of the parameters selected for-display on the SPDS was not in the scope of this audit.
- ~~
4.41 "THE SPDS SHALL BE DESIGNED TO INCORPORATE ACCEPTED HUMAN FACTORS PRINCIPLES SO THAT THE DISPLAYED INFORMATION CAN BE READILY PERCEIVED AND COMPREHENDED BY SPDS USERS".
4.4.2 Audit Team Observations . .
The need to incorporate human factors principles into the SPDS was
- acknowledged by NU from the start of SPDS development. The audit team noted i the following features of the SPDS design process that reflect this fact.
~
o The use of E0Ps as the basis SPDS displays and parameter set makes use of the results from Westinghouse Owners Group task analysis l
performed during the development of the EOPs. .
o The SPDS Functional Specifloation contains a number of detailed requirements regarding display types, menus, command inputs, and software security.
o The SPDS Functional Specification also references accepted human factors standards for equipment design as well as the control room design standards and conventions developed by NU as part of the Detailed Control Room Design Review.
o Human factors expertise was available to the NU SPDS ptoject team.
The human factors expert actively participated in decisions regarding*
man-machine interfaces of the SPDS.
1 I
In addition to these measures NU has initiated an independent review of the human factors suitability of the final products. Furthermore, the man-in-the-loop testing discussed in Section 3 will provide additional, valuable feedback regarding the system's useability by the operators. -
The NRC audit team observed the SPDS displays as they were being driven by dynamic test data simulating various plant operating conditions and also visited the Millstone 3 control room to ascertain the relationship between the SPDS displays and control boards. The following potential human factors discrepancies (NEDs) were noted.
o When the status of a critical safety function changes, the associated status block changes color. If the change is in the less safe direction the block' also blinks for a short time. An audible cue in addition to the blink may be needed to attract the operator's attention.
o There were numerous minor differences in wording between the SPDS displays and the functional EOPs.
o Two of the four control room displays do not have keyboards to allow desired displays to be called up locally. .
4.4 3 Audit Team Assessment .
NU has effectively incorporated human factors principles into the Millstone 3 SPDS design. The potential HEDs noted above should be assessed for correction. Results of the planned man-in-the-loop testing may prove helpf ul in performing this assessment. .
5.0
SUMMARY
5.1 VERIFICATION AND VALIDATION PROGRAM
~
The Millstone 3 SPDS V&V program satisfies the V&V needs outlined in NUREG 0800 Section 18.2 and NSAC/39. Northeast Utilities should, however, modify the systes loading test to include verification that SPDS response times -
requirements will be met when the process computer system is operating under worst case loading conditions including non-SPDS uses of the oosputer.
Upon completion of the V&V program, summarys of the following test results should be submitted to NRC to allow NRC confirmation that SPDS functions have been successfully validated:
(
o Integrated System Tests o Man-in-the-Loop Testing '[
o 100 Hour Availability Test .
. i 1
I l
l
~
)
The plan and schedule for resolving any deficiencies noted by this testing ,
should be included with the submittal of the test summaries.
5.2 SPDS DESIGN ,
The audit team concluded that the Millstone 3 SPDS generally satisfies the SPDS provisions of Supplement 1 to NUREG 0737. There are a few NRC audit team oomments, however, that should be addressed by Northeast Utilities:
o NU aust establish a system that insures SPDS displays and status trees remain consistent with the latest version of the plant EOPs, o NU should consider eliminating the wording differences between the
' SPDS status trees and the EOP status trees, o A operating history should be maintained for the SPDS to verify actual experience is consistent with the availability predictions and as an aid in identifying hardware and software modifications that would improve system availability, o NU should consider displaying the synthesized ppfaaeter values on teratiary level displays that show the readings of individual SPDS instrument channels. This feature would assist the operator in -
understanding the effect of individual instrument readings on the single parameter value .used by the SPDS.
o The potential human factors discrepancies noted by the audit team should be assessed to determine if correction would be appropriate.
~
m e
e t
I l
l
.~ . _ . _ , _ . - ._
6.0 References
)
6.1 GENERAL REFERENCES
- 1. U. S. Nuclear Regulatory Commission, NUREG-0737, " Clarification of TMI Action Plan Requirements," November 1980, Supplement 1, December 1982.
- 2. U. S. Nuclear Regulatory Commission, NUREG-0800, " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 18.1, Control Room, Rev. 0 -
September 1984 and Section 18.2, Hunan Factors Review Cuidelines for the Safety Parameter Display System (SPDS), Rev.
0 - November 1984.
3 Verification and-Validation for Safety Parameter Display Systems, NSAC/39, Science Applications, Inc., (December 1981).
- 4. U. S. Nuclear Regulatory Commission, NUREG-0700, " Guidelines for Control Room Design Review," September 1981.
- 5. U. S. . Nuclear Regulatory Commission, NUREG-0835, " Human Factors.
Acceptance Criteria for the Safety Parameter Display System"
~ ~~ ~
6 .' U. S. Nuclear Regulatory Commission, NUREG-0696, " Functional Criteria for Emergency Response Facilities," February 1981.
- 7. Instrumentation for Light-Water Cooled Nuclear Power Plants to Assess Plant and Environs During and Following an Accident, Regulatory Guide 1.97, Rev. 2, Nuclear Regulatory Commission, Office of Standards Development (December 1980).
6.2 DOCUMENTS EXAMINED DURING AUDIT
- 8. SP-EE-149A, ' Millstone Point Unit 3 Safety Parameter Display System (SPDS) Specification", November 30, 1984 -
~
- 9. PCE-RQ-ERIS3SPD-06, "Sof tware Requirem'ents Document for the Emergency Response Information System (ERIS), Safety Parameter Display System (SPDS) Containment Critical Safety Function (CSF) for the Millstone 3 Nuclear Power Plant" November 21, 1984
- 10. PCE-DS-ERIS3SPD, "Sof tware Design Document for the Emergency Response Information System / Safety Parameter Disp 1py System
. (ERIS/SPDS) for Millstone 3 Nuclear Power Plant",' February 12, 1985
~
- 11. PCE-TP-ERIS3SPD-06, "Scf tware Test Procedures Docment for Safety Parameter Display System for Contairment Critical Safety Function for Millstone 3 Nuclear Power Plant", May 20, 1985
- 12. Test Procedure IT-Generic-0 3349-P001 Appendix E01..Rev. O ;
6/26/85 t 13 PCE-RQ-ERIS3SIG, "Sof tware Requirements Doctment for Safety Parameter Display System Signal Validation for Millstone Point Unit 3 Nuclear Power Plant", June 20, 1985
- 14. PCE-SW-ERIS3RAR, ' Safety Parameter Display System Redundant Signal Validation Software for Millstone Unit 3 Nuclear Power i
Plant", January 4,1985
- 15. PCE-TP-ERIS3 PAR, "Sof tware Test Procedures for Parity for Millstone 3 Nuclear Power Plant", June 20, 1985
- 16. Software Design Document for Signal Validation for Millstone 3 Nuclear Power Plant", May 3,1985
- 17. Software Test Procedures Document for Signal Validation for Millstone 3 Nuclear Power Plant" June 20, 1985 _
- 18. " Safety Parameter Display System Verifloation and Validation
- ~ ~ -- -
Plan", August 1,1984
- 19. Process Computer Engineering Procedure No PCEP-1.0,
" Verification and Validation Procedures for Safety Parameter Display Systems", April .11,1985 e
e e
b y
__...~;' ... - ~ ~ .. - --- . .. _ __ __ _ - - - - - . _ _ _ _ _ _ _ _ _
, , n .,-
f na n.,-{ em n & n $ h. ~;:$.. n 't[ }{, s _.l $.' $ t
- n~ ksW h ?j N
l_ q ?.'- II f*y$g$ jhh l Bh{iff
%)N$i$ h 8 $@QQg; 53$4 1 f Qw $T. hK$ 4 ,
. ?',. .;;d y;
- E s;.
P, , m
,fby?g gp l;4.8 U;y ^: k 4.n
?
c L
.N? t
$$$?j1$lfD f gE . Ji fl f % 5 {1 !
C 9 y$
~
i g a: i $?= i
~
,M Y#$g%j!s J
~~
;; f? 'j
. g'!;;.= ** p& *
$5sg .:r
- - 2 .c.,K.t.x* ..
. ; . ?wa .~.t.*.+ . .-- ,
h;d
- C' .!
't: ..?
-g ;
4 o h1! - g gg %.~. h . - ij;i gd
- g # a 7
su
. =.' g jit 3c...
i.f ?g.W4..... . .e.,._, ,- y3
;)
a-p - r g'
<g a; 52.j 0 : -
f.[;y; fy i.
~
i
~
a hi- > 5 h~
~
g5 w&f
.g - ,=
. s p. .
g = + g ; r-
- p. , .
=g m- sc -
t.7
.. 3m s:
** et J.
go ,J '. 6 'sc ~. .
?-
a
- - % 'fs
- 3. . ,-
a > ,
.e E1 a3
. ,lQE k * '= 8 ~ ;: ?,3 -;
5
*
- y
= ., . /. e e g 8 in
= T> . . is pV
*3 '
s;3 .'
.-.~M kk~Q=
===
o P ci ir 4 ~" t .- 7N -4 p3 thkI...E.E( ? T(9?;jK Ii f
' ' 4' + ?
- }((r
=
L.' A.
&gc..cW'h r ~
~
1.r s.,
~~
., :n :+. 2. .3 .m .,. .
m}}