ML20138M462
| ML20138M462 | |
| Person / Time | |
|---|---|
| Site: | Byron  |
| Issue date: | 09/26/1985 |
| From: | SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY |
| To: | NRC |
| Shared Package | |
| ML20138M466 | List: |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737 NUDOCS 8511010347 | |
| Download: ML20138M462 (31) | |
Text
-_
?
DESIGN VERIFICATION AUDIT OF THE SAFETY PARAMETER DISPLAY SYSTEM FOR THE BYRON GENERATING STATION UNITS 1 AND 2 September 26, 1985 Prepared for U.S. Nuclear Regulatory Comission Washington, D.C. 20555 4
Prepared by Science Applications International Corporation 1710 Goodridge Drive McLean, Virginia 22102 W
9
. : m{A. h '. -
gs'll o t osyr7 m
~
s
?.'y
, 4 %,.
'f? '!!
s sp m
- _ - =
i
?
4 TABLE OF CONTENTS Section Page
1.0 INTRODUCTION
1
2.0 BACKGROUND
2 3.0 SYSTEM DESCRIPTION....................-
3 1
4.0 AUDIT FINDINGS......................
3 4.1~ Sys' tem Specifications and Standards Used in the De s i g n.......................
3 4.2 De s i g n o f Di s pl ay Fo rma t s..............
4 4.3 Incorporation of Human Factors Requirements into
~
So f tware Speci fica tions..............
4 l
4.4 Design, Code. Test Test Software, and Data Base l
Instructions....................
5 4.5 Integration Tests and Test Results for Displays i
and Scenarios...................
5 4.6 Display Format Human Engineering Standard and Guidelines.....................
6 4.7 Display and Control Hardware Evaluation.......
7 4.8 Design Validation Test Methods and Test Plans....
7 5.0 SUPPLEMENT 1 TO NUREG-0737 REQUIREMENTS..........
9 f
5.1 Concise Continuous Display.............
9 i
5.2 Convenient Location................. 11 5.3 Incorporation of Human Factors Principles...... 11 5.4 Frocedures...................... 11 5.5 Training for Accident Response With and Without SPDS. 12 5.6 Pa ra me te r Se l ec t i on.................
12 5.7 Electrical / Electronic Isolation........... 13 CONCLUS!0NS............................. 13
TABLE OF CONTENTS (Continued)
Page Section 15 REFERENCES...........................;..
ATTACHMENT 1 Audit Plan for Byron 1 and 2 Safety Parameter Display System ATTACHMENT 2 List of Audit Meeting Attendees ATTACHMENT 3 Human Factors SPDS Review Schedules l
ATTACHMENT 4 Comonwealth Edison Verification and Validation Schedule P
e i
t l
l i
M
...-.-n.,
n,-,
,...,..-, ~ -,
.n.
,--.---.---,._n,
DESIGN VERIFICATION AUDIT REPORT FOR COMMONWEALTH EDIS0N COMPANY'S BYRON UNIT 1 AND 2 SAFETY PARAMETER DISPLAY SYSTEM
1.0 INTRODUCTION
This report documents the findings of the Nuclear Regulatory Commission (NRC) design verification audit of Commonwealth Edison Company's Byron Generating Station Units 1 and 2 Safety Farameter Display System (SPDS).
The purpose of the audit, as described in NUREG-0B00, Section 18.2 (Refer-ence 1), was -to obtain additional information required to resolve any out-standing questions with regardTo the verification and validation (V&V) to confirm that the V&V program is correctly implemented, and to progra m, audit any results available to date.
Because of the advanced state of the Byron program, the audit included a review of the inttalled SPDS to ensure '
that the results of Commonwealth Edison Company's testing demonstrate that the SPDS meets the functional requirements and exhibit good human engineer-ing practice.
The requirements set forth in NUREG-0737, Supplement 1
" Requirements for Emergency Response Capability" (Reference 2), served as the basis for the audit.
The history of the Byron SPDS dates back to December 29,1983, when Commonwealth Edison Company submitted an SPDS Safety Analysis Report to the NRC (Reference 3).
The SPDS Safety Analysis Report contained a verification and validation plan for all Commonwealth Edison Company stations siong with the cr'iteria for parameter selection for Byron and Braidwood Stations.
On '
November 9, 1984, the NRC sent a Request for Additional Information Concerning the Byron /Braidwood Safety Parameter Display System to the licensee (Reference 4).
Concerns regarding isolation devices, human factors engineering information, unreviewed safety questions, implementation plan and procedures, and systems review information were included in the NRC request for additional information. On February 6,1985, the NRC sent an Audit Plan for the Byron 1 and 2 Safety Parameter Display System to the licensee (Reference 5).
The audit agenda is included as Attachment 1 to this report.
1
The audit was conducted on July 24, 25 and 26,1985, at Commonwealth Edison Company's Byron Units 1 and 2 facilities.
The NRC audit team consisted of a representative from the NRC Division of Human Factors Safety.
Human Factors Engineering Branch, and consultants from Science Applications International Corporation and Comex Corporation.
This report was prepared by Science Applications International Corporation, but is intended to reflect the consolidated observations, conclusions, and recommendations of the NRC auctit team members. The audit followed an agenda prepared by the NRC and forwarded to Commonwealth Edison Company on February 13, 1985.
A list of audit meeting attendees is presented in Attachment 2 to this report.
2.0 BACKGROUND
Licensees and applicants for operating licenses are required to provide a Safety Parameter Display System (SPDS).
The objective is to improve the ability of nuclear power plant control room operatsrs to prevent accidents or cope with accidents if they occur by improving the information provided
- to them (NUREG-0660. Item 1.D.1, Reference 6).
The need for an SPOS was confirmed in NUREG-0737 (Reference 7) and in Supplement I to NUREG-0737.
SPDS requirements in Supplement 1 to NUREG-0737 replaced those in earlier documents.
Supplement 1 to NUREG-0737 requires each licensee or applicant to implement an SPDS on a schedule negotiated with the NRC.
Human factors guidelines for SPDS design are currently provided in NUREG-0800 and NUREG-0700 (Reference 8).
An SPDS is to be established according to the applicant's own safety analysis and implementation plan which must be submitted to the NRC.
According to Supplement 1 to NUREG-0737, the written safety analysis shall
- include a description of the basis on which the selected parameters are sufficient to assess the safety status of each identified function for a wide range of events, which include symptoms of severe accidents.
This safety analysis and the specific implementation plan for the SPDS are to be reviewed by the NRC. On-site audits are to be scheduled as gecessary to confirm that the applicant is implementing an adequate design program.
I 4
2 l
3.0 SYSTEM DESCRIPTION The same SPDS system will be used at both the Byron and Braidwood Stations. The system chosen is a derivative of the Westinghouse Iconic display design, modified by in-house engireering and human factors studies, and motivated by the objective of limiting the number of " display pages" comprising the SPDS.
Two display pages are used:
a narrow-range and a wide-range.
The narrow-range is designed for use at full operating power, and the wide-range is principally for accident conditions where parameters may vary over a wide range.
Each Iconic has eight spokes.
Each spoke displays one parameter or a combination of-parameters. Each page is considered by the licensee to represent all the critical safety functions.
Normal operating conditions are intended to display a symmetrical octagon on the screen. The Iconic distorts to an asymmetrical octagon when the parameters dep rt from a normal The licensee stated that the octagonal display can be used '
reference state.
l for all conditions of intended use, cold shutdown through full power as well as accident conditions.
There is an SPDS screen on the vertical display console in each of the two Byron plants.
Reliance on administrative procedures ensures that the SPDS is continuously displayed to the operators.
4.0 AUDIT FINDINGS 4.1 System Specifications and Standards Used in the Design.
The system specifications and standards used in the design of the Byron l
SPDS are presented in two basic documents: the " Westinghouse Iconic Display Design," and the Commonwealth Edison Company "SPDS Plant Specific Supple-l ment."
A third document, entitled "SPDS Functional Description," was produced by ARD Corporation, but was not used for specification purposes.
These documents were available for our audit at the plant site, but they are not docketted with the NRC.
The Westinghouse Iconic Display Design document (a proprietary document) contains the design for both wide-range and narrow-range Iconic l
3
displays along with the generic functional descriptions, equation:;, and algorithms used to drive the individual parameters on the Iconic display spokes.
i The Commonwealth Edison Company's "SPDS Plant Specific Supplement" describes the plant-specific changes to the Westinghouse specifications.
Changes made to the plant-specific SPDS include the addition of a parameter spoke which displays water level in the upper head of the reactor vessel (RVLIS), the display of the subcooling margin, a change in pressurizer RC pressure units from PSIA to PSIG, and the addition of specific identification points for the radiation spoke.
The NRC-audit team review of the Westinghouse and plant-specific specification documentation indicated that Commonwealth Edison Company followed a process which adequately defined the general detail and plant-specific properties of the SPDS.
)
4.2 Design of Display Formats l
During the audit of the process used by Commonwealth Edison Company to design the display formats, the audit team selected the spoke which displays l
pressurizer pressure on the narrow-range Iconic and system pressure on the wide-range Iconic. This was done in order to make the most effective use of the limited" audit time by tracing the details of one display component from I
the initiation phase to the implementation phase.
The basic display formats for the wide-range Iconic and narrow-range Iconic were developed by Westinghouse Corporation during the development of 1
the displays. Plant-specific changes such as the addition of subcooling, 4
reactor vessel level indication system, and radiation monitoring points were made by Commonwealth Edison Company and validated on prototype displays.
The operations department was formally included in the design process.
The audit team concluded that the display formats were appropriately designed by the Westinghouse Corporation and Commonwealth Edison Company.
4
-c
- c. e..--
6 4.3 Incorporation of Human Factors Requirements into Software Specifications ARD Corporatien was employed by Commonwealth Edison Company to provide human factors guidance in software specifications and hardware selection.
ARD ensured that human factors considerations such as functional grouping, color-coding consistency of display elements, and abbreviation consistency of text were included in the graphics generation package.
It is our evaluation that human factors requirements were appropriately integrated into the software specifications.
4.4 Design, Code, Test, Test Software, and Data Base Instructions The audit team performed a limited inspection of the code and concluded that it appeared to be reasonably developed.
Our inspection of the list of program instructions concluded it contained several comments made by the systems analysts indicating an appropriate checking and cross-checking -
process in the development of the code.
4.5 Integration Tests and Test Results for Displays and Scenarios The computer systems group performed software testing in two phases.
The first phase performed laboratory testing of the algorithm software and graphic gene' ration package prior to the installation phase.
Th$ algorithm software was tested with a formal test package. The graphic generation package was tested on a Prime computer.
During the second phase, on-site testing of the installed system from' sensor to data base was performed by using two Commonwealth Edison Company test procedures, SPP 85-10 and 11. One test procedure was for the wide-range display software and one was for the narrow-range display software.
The cudit team review of this doc.umentation revealed that the systems analysts performing the tests on the wide-range loop pressure spoke on the Iconic did discover a pressure spoke problem created by the operating characteristics of reactor coolant pumps.
In this case, a change is being made to modify the SPDS to accommodate the actual operating characteristics of the plant.
The test results and problems were thoroughly documented in the test procedures.
5
i It is our conclusion that the integrated testing process and test results reflect an appropriate test methodology which was thoroughly implemented.
4.6 Display Format Human Engineering Standard and Guidelines The audit team performed an on-site evaluation of the display format and concluded that the format generally followed good human engineering j
practices and guidelines.
However, the audit team did note several human engineering discrepancies.
Those discrepancies are listed below.
First, the SPDS consists of a narrow-range display and a wide-range display.
There is no display title to identify which display is on the This does not conform to NUREG-0700 guideline 6.6.1.1 which states screen.
that displays should be clearly labeled to permit accurate human perform,
The audit team recommended that WIDE RANGE and NARROW RANGE be ance.
considered as titles by the licensee.
Second, the red alarm bars at the end of each Iconic spoke are difficult to detect as they have a low color contrast with the grey back-ground.
This does not conform with NUREG-0700 guideline 6.5.1.6.e(2) which states that. colors should contrast well with the background on which they appear.
4 Third, the wide-range steam generator level spoke does not cover the full range of plant operations as indicated in Safety Parameter Display.
System Documentation. The problem is that the reference level is set at 86%
which is the correct reference level for operations below 2000F in the primary coolant system.
During power operations when core exit temperature is referenced at 6170F. the reference level in the steam generators is 66%
on the narrow-range which corresponds to about 60% on the wide-range scale.
Therefore, the Iconic will indicate a misleading low level ind4 cation when j
the operator switches from narrow-range display to wide-range display. This is an indication that the SPDS develcpment team did not perform a thorough analysis of operator tasks in relation to system engineering and system 6
I
- - _ _. - _.,~
functional objectives to establish operator information requirements as recommended in NUREG-0700 guideline 6.5.1.1.a.
Commonwealth Edison Company agreed to investigate and correct this problem.
A human factors evaluation of the completed SPDS will be conducted by ARD Corporation in mid-1986.
This review will include a checklist survey based on NUREG-0800, Section 18.2 criteria.
It will also incit.de operator interviews and review of the detailed control room design review task analysis data.
Human engineering discrepancies documented duriAg this review will be assessed in a process similar to the detailed control room design review assessment.
The process for this evaluation is included as.
This is an appropriate method for verifying and validating the suitability of_the SPOS.
4.7. Display and Control Hardware Evaluation.
Human factors considerations have been a part of the SPDS' selection and -
implementation process at Byron.
Commonwealth Edison Company's human factors consultants, ARD Corporation, prepared " Human Factors Considerations to Monitor Selection" in 1982, prior to procurement of the display hardware.
Since 1982 ARD has played an active role in the human factors aspects of the implemented system.
Further, a detailed evaluation of the human factors suitability of the implemented SPOS will be performed in mid-1986.
The audit team observed that the SPOS locations, controls, and hardware conformed to good human engineering practices.
4.8 Design Validation Test Methods and Test Plans.
In order to conduct a detailed audit of the design validation test methods and plans, the audit team concentrated its efforts on one iconic spoke.
The spoke selected for eva.luation was the pressure spoke which displays pressurizer pressure on the narrow range display and primary system pressure on the wide range display.
The pressurizer pressure spoke displays the redundant input average of the pessurizer pressure inputs along with the constant reference value of 2235 psig.
If the active value is invalid, then it is displayed as XXX and 7
(
i' i
j the iconic is forced to the full deflection high alarm state.
If the active l
value is valid, then it is compared to the reference value and the iconic is
}
deflected from the reference octagon accordingly.
The full deflection high alarm state is achieved at 2335 psig and is based on pressure operated i
relief valve (PORV) lifting specifications.
The full deflection low alarm l
stated is based on safety injection which begins at 2000 psig.
4 The wide range pressure spoke displays reactor coolant system loop
)
pressure and the pressure reference in units of psig.
If A and C " reactor I
coolant pumps are running or if no pumps are running the active reactor coolant system pressure is the redundant average of the wide range Both alarm limits and the reference are functions of core exit j
pressures.
j temperature and the reactor trip status.
Since core exit temperature and j
the reactor trip status are determined by the core exit temperature spoke, i
this spoke utilizes these values in the reactor coolant system pressure r
limit calculations.
L I
l The audit team evaluation of the pressure spoke included a review of i
the Westinghouse system specification and Commonwealth Edison Company's l
validation test procedures SPP-10 and SPP-11 for testing of the narrow range
)
and wide range iconic logic. The system specifications appropriately define the general detail and plant specific properties such as point identifications and sensors, etc.
Our limited inspection of the software 1
l code conclu'ded that it was reasonably developed and contained several J
comments made by the systems analysts indicating a thorough analysis of the code.
Software tests procedures contained in SPP-10 and SPP-11 were l
conducted on the narrow range pressurizer pressure spoke and the wide range,
i reactor coolant system spoke.
As a result of the SPP-11 tests on the reactor coolant system pressure spoke, the Commonwealth Edison Company systems analysts identified pressure spoke problems created when coolant j
pumps are started. They are taking appropriate steps to modify the software to accomodate actual system characteristics.
1 Our audit of the data validation for the pressure spoke concluded that the licensee's methodology and coding of displayed data was appropriate.
k Another design verification and validation process will be conducted by an independent group within the Commonwealth Edison Company.
The j
8
1 i
1 independent group is scheduled to perform the verification and validation in September, 1987.
The schedule for all Commonwealth Edison Company verification and validation reviews conducted by the independent review group is included in Attachment 4.
No procedures or details were available for this activity at the time of the audit.
j 5.0 SUPPLEMENT 1 TO NUREG-0737 REQUIREMENTS 5.1 Concise, Continuous Display.
Supplement I to NUREG-0737 states that "... the SPDS should provide a concise display of critical plant variables to the control room operators to aid them in rapidly and reliably determining the safety status of the plant."
3 By definition, a concise display removes superfluous or expanded detail in order to summarize the status of the five critical safety functions. The'
)
two Byron SPDS Iconics display specific plant parameters which can be used in to evaluate the critical safety functions. The following is a list of Byron parameters associated with plant function monitoring.
This list was included as Table E.17-1 of the B/B-FSAR which was published in September, 1983.
i Reactivity Control Power Mismatch Tayg Startup Rate Core Exit Temperature Reactor Core Cooling Core Exit Temperature NR SG Level WR SG Level l
Reactor Coolant System Integrity l
9 l
I#
i Pressurizer Level 4
Pressurizer Pressure Net Charging / Letdown Flow Rate I
l Reactor Coolant System Inventory Control j
j Net Charging / Letdown Flow Rate l
Pressurizer Level Containment Floor Drain Sump Level 6
1 j
Containment Activity Level l
Containment Activity i
Containment Floor Drain Sump Level i
t i
l Containment Integrity l
Containment Temperature
[
l j
Containment Pressure t
d Secondary System Status b
NR SG Level i
i l
Tavg j
During the development of the SPDS, several additional parameters were
+
j added to the Iconic.
The addi*.ional parameters include subcooling margin; l
reactor vessel level indication system; steam jet air ejector radiation; i
steam generator blowdown radiation; and main steam loop A, 8, C and D.
I radiation.
1 i
i i
In conclusion, the audit team determined that the wide-range SPDS Iconic does provide a concise display of the minimum five critical safety i
functions required by Supplement 1 to NUREG-0737. We concluded that the l
narrow-range ! conto provides a concise display of key parameters during
(
j power operations while the wide-range Iconic may be rapidly accessed in i
order to assess the status of the five critical safety functions during
{
accident conditions.
We did not review the basis for parameter selection
?
nor the adequacy of the parameters selected to present the states of the critical safety functions.
i 1
10 j
i
=_ _
5.2 Convenient Location The SPDS is displayed on the control board for Unit I and in the same location on the board for Unit 2.
Byron management plans to also have it available on the main control room center desk; and the shift supervisor has l
requested that it also be displayed in his of fice.
From the center desk operations personnel can see the Unit 1 and Unit 2 control board displays.
The SPDS is displayed on one of the two CRT screens which are located to the right and left of the center section of the vertical display boards.
With j
the SPDS displays integrated into existing CRT screens, the SPDS appears to be accepted as part of the normal instrumentation by the operators and to receive commensurate respect. We conclude this is a convenient location.
~
5.3 Incorporation of Human Factors Principles Human factors experts from ARD Corporation have participated in the '
design of the SPDS system, and will review it as a part of the DCRDR. The following human factors discrepancies were noted by the NRC audit team: The red-on-grey background numbers are difficult to read, and the cyan " refer-ence" octagons are also difficult to see from a distance.
The yellow color j
used to indicate plant status is very clearly seen.
The yellow Iconic violates the. color-cooing conventions by depicting both normal and abnormal conditions.
However, given the design of the display, this color coding appeared acceptable. Otherwise, the audit team judged human factors aspects of the display ageeptable.
5.4 Procedures i
The SPDS was not developed with its integration into the Byron E0Ps as i
a goal.
It was developed as a quick-look device to assess the overall status of the plant so that action can be taken based on the control room's normal instrumentation.
Byron's E0Ps do not reft
- to the SPDS as an action instrument.
i i
11
_= _ _
5.5 Training for Accident Response With and Without SPDS Tne audit team reviewed the Byron training plan which includes the training on the SPDS.
Since the SPDS is part of the process computer utilizing normal computer data points, instruction in its use is a part of the overall process computer instructional package.
The portion devoted to the SPDS discusses its use as a quick-look device to assist in the preven-tion and mitigation of emergency conditions through the monitoring of the critical safety functions.
It then covers the design of the SPDS iiicluding the selection of parameters and their association with each of the critical safety functions, the logic of their grouping on the spokes of the Iconic j
display, and the algorithms used.
(
Because the SPDS is considered an aid to accident prevention and miti-gation and not an " action" instrument, there is little chance that the operators will rely too heavily on it rather than on their class IE,
instrumentation; moreover, it does not appear likely that its loss will have a significantly adverse effect on an operator's performance in preventing or i
mitigating an accident.
The SPDS will be provided in the Byron and Braidwood simulator; train-ing programs covering the operators' reactions to emergency conditions with the SPDS functional and inoperable should be developed.
5.6 Parameter Selection Final approval of the parameter selection of the SPDS will be made by -
the Procedures and Systems Review Branch (PSR8) at the NRC. The information which follows is supplied to aid PSRB in their review.
^
As stated above, the basis for the design was the Westinghouse Iconic display, utilizing two top-level pages to cover all operating modes. The narrow-range Iconic covers the normal operating range while the wide-range Iconic covers the remaining modes, including refueling.
In order to achieve this broad coverage, two pages were developed for the SPDS. The actual parameters selected are included in Section 5.1 of this report.
)
12
l
)
i i
4 i.
l In order to examine the criteria for parameter selection, we walked j
through several hypothetical emergency scenarios with a licensed plant operator who also contributed to the SPDS design.
The emergency conditions which were examined were cold water accident--both secondary; and primary i
systems, at power, start-up, and hot stand-by; primary system leak, large and small, during all modes of operation including refueling; loss of off-f site power, loss of both of f-site and on-site power during all modes of operation; primary containment leak; and, dropping and rupturing a fuel j
assembly during refueling.
i A suggested improvement is the inclusion of containment sump level on i
the wide-range display.
It is present on the narrow-range.
If included on the wide-range as well, it would be an important indicator of primary i
leakage during modes of operation other than full power, such as accident I
conditions.
I 5.7 Electrical / Electronic Isolation We reviewed the documentation on isolation to be provided to the f
Instrumentation and Control Systems Branch.
If the isolation used in the f
computer is found to be satisfactory, SPOS electrical and electronic isolation should also be satisfactory, since all SPOS signals are obtained i
from the no'rmal process computer data base.
1 b
i We reviewed several electrical schematics to determine that SPOS should l
continue to operate during a total loss of on-site and off-site power. Both, l
the process computer and the SPOS display in the control room are powered i-from supplies with battery backup.
i l
I
)
CONCLUSIONS The NRC audit team verified that the design of the Byron Unit 1 SPOS should meet the requirements of Supplement 1 to NUREG-0737.
However, there l
were several problems noted by the audit team.
The corporate verification l
and validation project for the Byron SPDS had not been fully devel,oped at l
the time of the audit. Therefore, the corporate verification and validation f
report should be forwarded to the NRC in order to complete the evaluation of this issue. In terms of human engineering problems, the audit team noted i
l 13
that there was no Iconic title (wide range / narrow range), the wide-range steam generator level does not function correctly during all modes of opera-tion, and the red alarm bars on grey background have low color contrast.
2 i
The above findings should not diminish the fact that the audit team concluded that the displays and the systematic process used to develop the displays should result in an SPDS which meets the NRC requirements. The human factors aspects and user acceptance are both positive aspects of the Byron system. In addition, the audit team has noted the positive " support provided by the station management during the development and implementation of the SPDS.
3 j
't 1
L E
1 l
14
REFERENCES 1.
NUREG-0800 " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants." Section 18.2, Rev. O. "Sa fety Parameter Display System (SPDS)," and Appendix A to SRP Section 18.2,
" Human Factors Review Guidelines for the Safety Parameter Display i
System," November 1984 2.
NUREG-0737, Supplement 1. " Requirements for Emergency Response Capa-bility," USNRC, Washington, D.C., December 1982, transmitted to reactor licensees via Generic Letter 82-33, December 17, 1982.
3.
Letter from E. Douglas Swartz, Nuclear Licensing Administrator, Common-wealth Edison Company to Harold R. Denton, Director of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission
Subject:
Dresden Station Units 2 and s, Quad Cities Units 1 and 2. Zion Station Units 1 j
and 2. Byron St.ation Units 1 and 2. Braidwood Station Units 1 and 2. -
NJREG-0737 Supplement 1 SPDS Safety Analysis, Commonwealth Edison Company, Chicago, Illinois, December 29, 1983.
4 Letter from B.J. Youngblood, Chief. Licensing Branch No.1. Division of
{
Licensing, U.S. Nuclear Regulatory Commission, to Dennis L. Farrar, f
Director of Nuclear Licensing Commonwealth Edison Company, Chicago, Illinois,
Subject:
Request for Additional Information - Byron Braid-wood SPDS, U.S. Nuclear Regulatory Commission, November 9,1984.
I 5.
Memorandum for B.J. Youngblood, Chief. Licensing Branch No.1. Division, of Licensing, from D. Tondi, Acting Chief, Human Factors Engineering Branch, Division of Human Factors Safety,
Subject:
Staff Audit of Byron 1 and 2 Safety Parameter Display System. U.S. Nuclear Regulatory Conmiission, February 6,1985.
6.
NUREG-0660, Vol.1. "NRC Action Plan Developed as a Result pf the TMI-2 Accident," USNRC, Washingtion, D.C., May 1980; Rev.1. August 1980.
7.
NUREG-0737, " Requirements for Emergency Response Capability ".USNRC, Washington, D.C., November 1980.
i 15 i
8.
NUREG-0700, " Guidelines for Control Room Design Reviews," USNRC, Washington, D.C., September 1981.
O 9
0 M
e 16 i
e e
a a
e
=
ATTACHMENT 1 AUDIT PLAN FOR BYRON 1 AND 2 SAFETY PARAMETER DISPLAY SYSTEM O
Y
AUDIT PLAN FOR THE BYRON 1 AND 2 SAFETY PARAMETER DISPLAY SYSTEM Backorcund All holders of operating licenses issued by the Nuclear Regulatory Comission (Ifcensees) and applicants for an operating license (OL) must provide a Safety Parameter Display System (SPDS) in the control room of their plant.
The Comission approved requirements for the SPDS are defined in Supplement I to NUREG-0737.
The purpose of the SPDS is to provide a concise display of critical plant variables to control room operators to aid them in rapidly and reliably determining the safety status of the plant. NUREG-0737, Supplement 1, recuires licensees and applicants to prepare a written safety analysis describing the basis on which the selected parameters are sufficient to asses: the safety status of each identified function for a wide range of events, which include symptoms of severe accidents. Licensees and applicants shall also prepare an implementation plan for the SPDS which contains schedules for design, development, installation, and full operation of the SPDS as well as a design verification and validation plan. The safety analysis and the implementation plan are to be submitted to the NRC for staff review. The results of the staff's review are to be published in a Safety EvaluationReport(SER).
Comonwealth Edison Company submitted a safety analysis (Ref.1) for the Byron Units 1 and 2 SPDS. The staff reviewed the safety analysis and concluded that insufficient information was provided to complete our evaluation. Reference 2, a request for additional information was forwarded l
to the Comonwealth Edison Company. To facilitate the completion of the review, the staff will audit the Byron Units 1 and 2 SPDS.
Audit Schedule The staff proposes this be scheduled for April 23-25, 1985. We anticipate that the audit will recuire two full days (April 23-24) of effort. We plan an exit briefing for the morning of April 25, 1985.
~
l MPC Audit Team l
The NRC Audit Tear will corsist of representatives from the Human Factors Engineering Branch, Procedures and Systems Review Branch, and from the Instrureetation and Cortrol Systems Branch.
In addition, the staff will be assisted in the audit by Science Applications International Corporation (SAIC).
1
0 2-Audit Tasks The audit consists of four sets of tasks that are defined as:
I.
General Issues II.
Human Factors Engineering Audit Details on each of these sets of tasks are provided next.
Review' Basis: NUREG-0737. Supplement 1. " Clarification of TMI Action Plan, Requirements for Emergency Response Capability."
General Issues Estimated Time Topics Audit Needs:
(Hours) 1.
An entry briefing by A conference room or 0.25 the NRC audit team to equivalent to hold briefing discuss schedule and audit plan.
~
2.
Staff caucus to discuss A conference roon or 2
results of audit.
equivalent.
3.
An exit briefing by the A conference room or 0.5 NRC audit team to equivalent to hold briefing, report on the findings of the audit.
i 4
Commonwealth Edison Have available all elements 0.5 is to define tne scope of the design as it of the SPDS within the currently exists consisting computer system in of hardware, software and which it is implemented display formats.
and in terms of the SPDS as stated in NUREG-0737, i
Supplement 1.
5.
Staff audit of the Have available the Design 1.5 i
Design Verification verification and Validation i
and Validation Program. Also, on a part.
l Program used in the tire basis, have available a i
develeprent of the cualified person capable of SPDS.
answerino staff Questions on the procram, i
I
8 i
3-Estimated Time Topics Audit Needs:
~(Hours)
II.
Human Factors Encineering Audit 1.
Staff audit of the System Specifications, 2.
System Specifications generic application data and and standards used in standards used in the design, the design, such as Also, on a part-time basis, human factors have available personnel engineering standards, capable of answering questions on the specifications and standards.
The licensee should also be prepared to discuss details of the Human Factors Program l
used in the design along with data validation techniques and the means used to inform the operator of invalid data.
2.
Staff audit of thg The validation program and the 2
validation of the results from the program. Also display forwets have available personnel utilizing man-in-the-capable of answering staff loop tests of a questions on the validation l
prototype display, if program and the results from applicable.
the program.
~
3.
Staff audit of the The generic software 1.5 software specifications requirements, the generic spec.,
for incorporation of and human factors standards human factors used in the design. Also have requirements.
available personnel capable of answering questions on these documents.
4 Staff audit of the Des.ign documentation, listing 1.5 design, code, test of code, and description of software and data base data base. Also have aveilable instructicns (if personnel capable of answering applicable).
cuestions on these documents.
5.
Staff audit of Documents and test plans for 2
integration tests and integration tests along with test results for test results. Also have displays and scenarios, available personnel to answer applicable.
cuestiers on these documents.
e 1----->-g v-.---y.
+,. ---, - -
e.-
-,,-,.e s
we-,-e,
.-,+-v--.,,,..
.-+--,-----.,,,-+-,-w,w.-
g.,4
-e-e.e e,m,w-w i,s
. Estimated Time Topics Audit Needs:
~ (Hours) 6.
Staff audit of selected Selected display formats on 2.5 display formats for prototype display system, if conformance to human available. As a mininum, a
~
engineering standards hard copy, in color, of and guidelines.
selected display formats will Evaluate if display
- suffice, flicker exists; also determine adequacy of time lag for display of data.
7.
Staff audit of display Have available display devices, 2
devices, display display controls and keyboards, controls, and keyboards, etc. Also have available etc. for conformance to personnel to answer staff human engineering questions on these devices, standards and guidelines.
8.
Staff audit of design Documents on test methods and 1
validation test methods, test plans, if available.
If
, ~
and test plans.
documents are not available, provide a discussion on validation testing.
1 l
1 l
l
o s
REFERihCES 1.
Letter from E. Swartz, Connonwealth Edison Company, to H. R. Denton, NRC, subject: " Byron Station Units 1 and 2 SPDS Safety Analysis," dated December 29, 1983.
2.
Letter from B. J. Youngblood, NRC, to D. L. Farrar, Cowenwealth Edison Company, subject: " Request for Additional Infomation - Byron /Braidwood SPDS," dated November 9, 1984 t
e e
9 a
i
~
l t
e l
4
% g 4
S e
9 ATTACHMENT 2 LIST OF AUDIT MEETING ATTENDEES M
e 4
t.
Byron - SPDS Audit Entrance 1330 Ken Ainger CECO - Nuclear Licensing Leo Beltracchi HFEB/NRC Don Brindle Operating - Byron Jeffrey Colborn Tech. Staff / Ceco Joseph DeBor SAIC/NRC Whit Hansen Comex/NRC Julian Hinds Sr. Resident Inspector. USNRC Laurence Huetteman Comp Sys/ Ceco Bob Kershner ~
HFE/ARD Corp Tim Melloch Ceco - Byron Station Christopher Olmsted Comp Sys/ Ceco Bob Querio Sta. Supt. - Byron Richard Stark SAIC/NRC Dale St. Clair Tech Staff Superv. Byron Tom Weis PED M
l
e i
l O
e ATTACHMENT 3 HUMAN FACTORS SPOS REVIEW SCHEDULES i
t W
4
4 et U
m m
's
's mG G
-8 e.
m D
M m
CA O
m
<m Be c (
m E 5 W E
$2 E =E m5 B
si E
=a 4
C W
2
=
m k
D 3
M m
g e
a 2
N hh m
M M
m m
u em
<m W
e
-m
=a us
=
m hs us
~
8 5
g
/
e e n.
M
'E SE 2" 5
=
m u
o me c
u e
=
2 e
a o
e m
8g e
W
{
a m
a k
5 m
1
6 8
- f e
O ATTACHMENT 4 COMMONWEALTH EDISON VERIFICATION AND VALIDATION SCHEDULE 4
O W
i
i 4
C0f00RdEALTH EDISON COWARY SPOS REQUIREfENTS REVIEW REPORT Figure 3.4
~
II. SPDS V&V REVIEW SCHEDULE Cogletion Date Complete Review of Control' Ouad (Responsible Department)
Point Dresden Cities LaSalle Zlon Byron Braidwood
[
a.
System Requirements A
' 10/31/84 10/31/84 10/31/84 10/31/84 10/31/84 10/31'/84 m
(SNED)
@n l
4 j
wo
~
b.
System Design
5 11/30/84 11/30/84 11/30/84 11/30/84 11/30/84 11/30/84 A8 (SNED) 8g 5>
]
c.
Software Design C
11/1/85 3/1/85 4/1/84 5/1/84 6/1/85 6/1/86 gG 1
(COMP. SYSTEMS) 2
=
dG i
l d.
Software Development D
1/1/85 5/1/85 6/1/85 10/1/85 8/1/85 8/1/86
- G i
& Testing (Cor.
'23 SYSTEMS) gg l
e.
Hardware Design E
12/1/85 4/1/85 5/1/85 6/1/85 7/1/85 7/1/86 A!
j (COW. SYSTEMS) 35 4
3
?
f.
Hardware Installation F
2/1/85 3/1/85 4/1/85 5/1/85 6/1/85 6/1/86 1
l
& Testing (SYSTEM 04D)
E - !
E l
g.
Preoperational Test, G
7/1/85 7/1/85 1/1/86 7/1/86 2/1/87 2/1/87 l
(STATION)
- l yg e-i h.
V&V REPORT H
1/1/86 1/1/86 7/1/86 1/1/87 8/1/87 8/1/87 (SNED).
U
\\
=
1 2
i l
_ _ _ -. ~ _. _
-, _ _,