ML20148Q387
| ML20148Q387 | |
| Person / Time | |
|---|---|
| Site: | Vermont Yankee File:NorthStar Vermont Yankee icon.png |
| Issue date: | 01/21/1988 |
| From: | Rooney V Office of Nuclear Reactor Regulation |
| To: | Capstick R VERMONT YANKEE NUCLEAR POWER CORP. |
| References | |
| TAC-51295, NUDOCS 8802010071 | |
| Download: ML20148Q387 (8) | |
Text
.
January 21, 1988 Docket No. 50-271 Mr. R. W. Capstick Licensing Engineer Vermont Yankee Nuclear Power Corporation 1671 Worcester Road Franingham, Massachusetts 01701
Dear Mr. Capstick:
SUBJECT:
RE0 VEST FOR ADDITONAL INFORMATION - SAFETY PARAMETER DISPLAY SYSTEM (SPDS) (TAC NO. 51295)
Re: Vermont Yankee Nuclear Power Station We are reviewing your SPDS as described in letters dated February 1, 1985 and July 30, 1986. We find that we need additional information as described in the enclosed request for additional information to complete our review. We reauest that you provide r.esponses to the enclosed questions by May 1, 1988.
The staff was assisted in evaluating the Verment Yankee SPDS by Lawrence Livermore National Laboratory (LLNL).
A copy of LLNL's Technical Evaluation Report (TER) is provided as an attachnent to the request for additional information. The staff concurs with evaluations and conclusions in the TER.
The reporting and/or record keeping requirements contained in this letter affect fewer than ten respondents; therefore, OMB clearance is not required under P.L.96-511.
Sincerely, Original Signed by.:
Vernon L. Rconey, Project Manager Project Directorate I-3 Division of Reactor Projects I/II
Enclosure:
As stated cc w/ enclosure:
See next page 4
DISTRIBUTION:xDocketLfile, NRC PDR, local PDR, OGC, Edordan, JPartlow, VRooney, MRushbrook, ACRS (10), PDI-3 r/f, RWessman OFC
- PDI-3,
- PDI-3 NA
- ACTDIR/PD 3:
' NAME :MNWookg.....__:_....pJ y _:RWest.__f.:...........:._________..:___.........:...________
,.__.:. g.
- VRooriey n
,DATE:01/\\/88
- 01/((/88
- 01/n /88
\\
E
'\\
0FFICIAL RECORD COPY 8802010071 880121 PDR ADOCK 05000271 P
l 0
)
ENCLOSURE 1 REQUEST FOR ADDITIONAL INFORMATION CONCERNING THE VERMONT YANKEE NUCLEAR POWER STATION SAFETY PARAMETER DISPLAY SYSTEM Each operating reactor shall be provided with a Safety Parameter Display System (SPDS). The Commission-approved requirements for an SPOS are defined in Supplement 1 to NUREG-0737 (Reference 1).
In the Regional workshops on Generic letter No. 82-33, held during March 1983, the NRC discussed these requirements and the staff's review of the SPDS.
The staff reviewed the initial SPDS safety analysis (Reference 2), and the revised SPDS safety analysis (Reference 3) provided by Verment Yankee Nuclear PowGr Corporation. The staff was unable to complete its evaluation because of insufficient information.
The following additional information is needed to continue the review:
Isolation Devices Evaluation criteria related to this requirement address the impact on safety systems of applying the maximum credible fault voltage / current to the SPDS.
Provide the following:
1.
For the type of device used to accomplish electrical isolation, describe the specific testing performed to demonstrate that the device is acceptable for its application (s). This description should include elementary diagrams when necessary to indicate the test configuration and how the maximum credible faults were applied to the devices.
2.
Data to verify that the maximum credible faults applied during the test were the maximum voltage / current to which the device could be exposed, and define how the maximum voltage / current was determined.
3.
Data to verify that the maximum credible fault was applied to the output of the device in the transverse mode (between signal and return) and other faults were considered (i.e., open and short circuits).
4 Define the pass / fail acceptance criteria for each type of device.
i
. 5.
A commitment that the isolation devices comply with the environmental qualifications (10 CFR 50.49--Reference 4) and with the seismic qualifications which were the basis for plant licensing.
6.
A description of the measures taken to protect the safety systems from electrical interference (i.e., Electrostatic Coupling, Electromagnetic Interference, Connon Mode and Crosstalk) that may be generated by the SPDS.
7.
Information to verify that the Class 1E isolator is powered from a Class 1E power source.
Parameter Selection Evaluation criteria related to this requirement address the selection of plant parameters and combinations of parameters which can be evaluated to determine the status of five critical safety functions (namely, reactivity control, reactor core cooling and heat removal from the primary system, reactor coolant system integrity, radioactivity control, and containment conditions).
Address the following question:
Are reactor power variable inputs intended to allow determination of the Reactivity Critical Safety Function status for all plant conditions from reactor startup to full power, and to reactor shutdown?
Provide the following:
A commitment:
(a) that an operator located at the SPDS station can effectively utilize the hardwired containment isolation displays to rapidly and reliably assess that all necessary containment isolation valves operate properly in response to an isolation signal, and (b) that the relative position, orientation, and visual access of the hardwired containment isolation valve displays with regard to the SPDS station will be maintained or improved.
Rapid and Reliable Evaluation criteria related to this requirement address factors which affect how rapidly the operator is informed of changes in plant variables. The criteria also address factors which affect the accuracy of displayed infonnation across a wide range of events and factors which affect operator confidence in that information.
Finally, the criteria address means by which the operator may recognize SPDS failure.
, Provide the Following:
1.
For operator initiated SPDS requests, identify the design goal for system display response times under worst-case load conditions.
2.
How will system sampling and update rates assure:
(a) that the SPDS displays are current and accurate and (b) that there is no meaningful loss of information?
3.
Describe detailed methodology on how SPDS functions (a) will receive computer execution priority and (b) will be protected from unauthorized changes by formal design control, software and hardware configuration control, and documentation of procedures.
4.
Discuss the suitability of display accuracy and the time and value resolutions of trend graphs.
5.
Define what "if appropriate" means concerning SPDS signals undergoing real-time pass / fail processing, range limit checking, interchannel comparison, and validation algorithm processing.
6.
Discuss procedures, methodology, and criteria to determine invalid, unvalidated, and validated data categories.
7.
Indicate details to support the acceptability of the interconnections, interrelationships, and interdependent performance between the new integrated computer system and the SPDS.
Location Convenient Evaluation criteria related to this requirement address physical and visual factors which can impact operator access to SPDS displays and controls.
The criteria also address SPDS interference with normal crew movement and visual access to other control room systems.
Provide the following:
1.
Label and describe the illustration of the control room configuration (e.g., Figure 1 on page 26 of July 30, 1986 SAR) in order to substantiate that the SPDS, including containment isolation displays:
(a) are easily recognizable and readable, (b) are located such that they can be seen by operators, and (c) do not interfere with operators movement or visual access to other important displays.
Continuous Display Evaluation criteria related to this requirement address SPDS users' timely and reliable awareness of plant safety status and of important changes in critical safety-related variables.
Address the following:
1.
State how the SPDS system will prevent the selection of displays that will interrupt the continuous display of information on the five critical safety functions.
2.
In addition to an E0P entry condition status box, how will operators
~
be made aware of important changes in status of safety parameters?
Safety Status With and hithout SPDS Evaluation criteria related to this requirement address procedures and training to assure that the normal control room operating crew can determine plant safety status both with and without the SPDS.
Provide the following:
1.
Define "as appropriate" concerning the users training program.
2.
Discuss how the implementation of procedures is integrated with the
~
SPDS.
Prompt Implementation Supplement 1 to NUREG-0737 does not provide specific evaluation criteria for this requirement.
Paragraph 4.3 of that document does, however, describe the staff's position on prompt SPDS implementation. Additional guidance is provided in Paragraph 5 of Appendix A to the Standard Review Plan, Section 18.2 (Reference 5).
l l
Provide the following:
1.
Regarding the use of the control room, as a test bed for SPDS, address the following concerns:
a.
misleading control roon oport tors, b.
potential limitations in developing and testing the SPDS in the Control room, placing the SPDS into a test mode from outside the control c.
room, and d.
method (s) to be used to notify control room operators that tests are taking place.
e
3 l Human Factors Principles Evaluation criteria related to this requirement address display formats and their access, and the application of human factors engineering principles to those displays and controls so that information is readily perceived and comprehended by SPDS users.
Provide the following:
1.
Provide a copy of or describe the proposed Human Factors Engineering (HFE) plan.
2.
When will documentation on the HFE elements be completed and available for evaluation?
l 3.
Specify the "appropriate points" when human factors personnel will review the SPDS displays, controls, and display development process.
4 Indicate the review methodology, processes, and personnel to be utilized in evaluating the SPDS design against Section 18.2 of the SRP.
i 5.
State whether NUREG-0700 guidelines will be used to evaluate the SPDS design and implementation.
6.
Describe display details such as arrangements, grouping, visual l
characteristics, usability, and selection processes, j
Verification and Validation Guidelines for conducting an SPDS verification and validation program address checks to assure that the design will satisfy functional needs and checks to assure that the system was properly installed.
The guidelines also address documentation of identified problems, documentation of design modifications, and qualifications and independence of persons perfonning the verification and validation.
Provide the following:
1.
Discuss the rationale for the choice between test and engineering evaluations to be utilized in the validation process.
2.
Expand the description of the verification and validation process to include: (a) auditable description of plans, (b) illustrations and examples, (c) criteria, (d) procedures, and (e) schedules.
- 3.
A ca mitment to select scenarios for the man-machine validation to assess the safety status for a wide range of events, including symptoms of severe accidents.
I i
1 l
l l
)
f l
4 REFERENCES 1.
NUREG-0737, Supplement 1 "Clarification of TMI Action Plan Requirements-Requirements for Emergency Response Capability (Generic Letter No.
82-33)," December 17, 1982.
2.
Letter FVY 85-10 from W. P. Murphy (VYNPC) to D. B. Vassallo (NRC).
Subject:
"Safety Parameter Display System," dated February 1, 1985.
3.
Letter FVY 86-67 from W. P. Murphy to D. B. Vassallo.
Subject:
"Vermont -
Yankee Safety Parameter Display System (VY SPDS)," dated July 30, 1986.
4.
Title 10, Code of Federal Regulations, Parts 0 to 199.
U.S. Government Printing Office, Washington, DC, revised January 1, 1987.
5.
NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 18.2, Rev. O, November 1984.
+
n w
l l
l l
l 1
UCID 21253 i
l Technical Evaluation Report of the Safety Analyses Report for the Vermont Yankee Safety Parameter Display System Jack W. Savage Lawrence Livermore National Laboratory November 18, 1987
.v.
A W g)~ff=' $
~
.~
Q *%,$.
/
G ia Qun.
Mium
. - :y' q ff.Fg Qrygzy.3g;s ? gz g p/m _fg,@x gs..+M.dta%gn.m,.sw%$
~ M,fg3k?ly gh>n,,
H...M, n.
r
,1 S. c.,
'g 4
f 'q q<3,
r
?
m. Ti tyey This is an informal ~ report intended primarily for internal or limited esternal distri-Y' bution. The opinions and conclusions stated are those of the author and may or may
,f.
not be those of the Laboratory.
'v:
/'--
,e D
O' This work was supported by the United States Nuclear Regulatory Commission un-
- @2 [,,,.
f
. j[E '_
der a.\\temorandum of Understanding with the United States Department of Energy.
.w 3.x.
- t. v,;s. n
'N)N &
. _/.WQ, *Y;l-'
3;.+ 's
. *my%~v
" Jn!%%me-)g#
i ga a.
gg-S6rMS^
TECHNICAL EVALUATION REPORT OF THE SAFETY ANALYSES REPORT FOR THE VERMONT YANKEE SAFETY PARAMETER OISPLAY SYSTEM November 18, 1987 Jack W. Savage Lawrence Livermore National Laboratory for the-United States Nuclear Regulatory Commission
1 l
l i
l TABLE OF CONTENTS l
i 1.
Introduction...........................................................
1 2.
Saf ety Parameter D ispl ay Sys tem Des ign 0verview........................ 1 3.
Assessment of the Verification and Validation Program..................
1 3.1 Discussion........................................................
2 3.2 Assessment........................................................
3 4
Assessment of SPOS Design..............................................
3 4.1 "The SPDS Should Prov ide a Conci se Di s pl ay... ".................... 4 4.2 "The SPDS Shoul....D ispl ay...C ri tical Plant Variabl es"............ 4 4.3 "The SPDS Should... Aid Them (Operators) in Rapidly and Reliably Determining the Safety S t a t u s o f t h e Pl a n t ".............................................. 5 4.4 "The Principal Purpose and Function of the i
SPDS is to Aid the Control Room Personnel During Abnormal and Emergency Conditions in Determining the Safety Status of the Plant and in Assessing whether Abnormal Conditions-Warrant Corrective Actions by Control Room Operat ors to Avoi d a D egraded Core"............................... 7 4.5 "(The) SPDS (Shall be) Located Convenient to th e C ont rol Room 0 pe rat or s"....................................... 7 4.6 "The SPDS shall Continuously Display Information from which the Safety Status of t h e Pl a n t... c a n b e As s es s ed... "................................... 8 4.7 "The SPDS Shall be Suitably Isolated from
{
Electrical or Electronic Interference with Equipment and Sensors that are in Use for S a f e t y Sy s t em s "................................................... 9 4.8 "Procedures which Describe the Timely and Correct Safety Status Assessment when the SPDS is and is not Available will be Developed by the Licensee in Parallel with the SPDS.
Furthermore, Operators should be Trained to Respond to Accident Conditions Both wi th and wi thout the SPDS Avail abl e"........................ 10
-iii-
~-7 P--'"
TECHNICAL EVALUATION REPORT OF THE SA.FETY ANALYSES REPORT FOR THE VERMONT YANKEF SAFETY PARAMETER DISPLAY SYSTEM 1.
INTRODUCTION The Vermont Yankee Safety Parameter Display System (SPOS) Safety Analysis Report (SAR) [1] reviewed in this report is dated July.30, 1986, and revises and supersedes the previous report dated January, 1985 [2].
This review is based on the requirements of Supplement 1 to NUREG-0737 (3], and the guidelines of Section 18.2 of NUREG-0800 [4].
The Vermont Yankee SPOS SAR is a description of the information and guidelines that the licensee plans to incorporate into the design and implementation of their SPOS to satisfy the requirements of Supplement 1 to NUREG-0737.
It does not contain a technically complete description of the actual design and implementation of the SPOS.
2.
SAFETY PARAMETER DISPLAY SYSTEM DESIGN OVERVIEW j
The implementation of the SPOS will proceed concurrently with the replacement of the plant process computer.
The SPDS will be a sub-set of process computer displays derived from approximately 900 parameters and 2000 l
plant signals and will be based on the NRC-approved BWR emergency response guidelines.
Other parameters determined by the licensee to be appropriate will also be' considered.
Parameter selection will be based on plant specific emergency operating procedures (EOPs) which conform to the emergency procedure guidelines (EPGs) of the Boiling Water Reactor Owners Group (BWROG).
The SPOS displays will be as follows:
o 1 overview display o
3-5 E0P control displays o
5-7 detail parameter graphs o
10 E0P limit curves o
2-5 other 2T to 28 Total The specific details and characteristics of the displays have not yet been determined.
The displays will be hierarchically organized and will be operator selectable.
Dedicated, rapid-access function keys will be color coded and conveniently grouped.
Standardized data presentations will be used and certain information will be located and formatted the same on all displays.
3.
ASSESSMENT OF THE VERIFICATION AND VALIDATION PROGRAM A Verification and Validation (V&V) Program is concerned with the process of specification, design, fabrication, testing, and installation associated with an overall system's software, hardware, and operation.
For the SPOS, verification is the review of the requirements to see that the right problem _ - -
is being solved and a review of the design to see that it meets the requirements.
Validation is testing of the integrated system to see that it meets all requirements.
V&V activities are not a regulatory requirement for the SPOS.
Nevertneless, a V&V program performed by the applicant / licensee during design, installation, and implementation of an SPOS will facilitate the NRC staff review of the system.
On the basis of an effective V&V program, the staff would reduce the scope and detail of the technical audit of the design.
The-Vermont Yankee Nuclear Power Station (VYNPS) VSV plan will be developed and documented during the SPOS planning phase.
SAR'Section 7 (Design V&V) contains an outline o'f what will be included in the V&V plan and its execution / implementation.
3.1.
Discus'sion V&V personnel will be independent from SPOS design and development personnel and will conduct the V&V evaluations in parallel with SPOS design and installation.
A detailed timeline chart or schedule showing how the SPOS design and the V&V will mesh has not yet been prepared.
The V&V effort is planned to meet the Nuclear Safety Analyses Center-39 (NSAC-39) [5] guidelines and to assure that:
o The SPOS will perform the appropriate functions.
o The implementation process tasks are consistent, complete, and correctly translate the development process tasks.
o The system and its implementation will adequately document control system changes and system implementation.
The three elements of the SPOS verification are:
o SPOS requirements review o
system design specification review o
design review The SPOS reouirements document review will be completed prior to initiating tne SPOS system design and will determine if the requirements satisfy NUREG-0737 requirements, plant requirements, and applicable standards.
The system design soecification review will be completed prior to initiating tne SPOS oesign ano will determine if the SPOS requirements have been translated into the design specification document.
The design review will be conducted after the SPOS design is complete and will determine if the design specifications have been satisfied and if the configuration control procedures have properly documented and controlled the design process.
VYNPS plans to develop a cross-reference matrix to systematically map the relationship between the requirements and design specification documents.
This matrix will also provide a basis to map the SPOS-acceptance testing and validation activities.
The three elements of the SPOS validation are:
o validation test plan o
validation test procedures o
validation test and evaluation report Tests will include both static and dynamic modes.
Engineering evaluations will be performed to validate attributes that cannot be tested, or if an :
e y
7-
--y m
g
,n m-,--
engineering evaluation is deemed to be more appropriate.
The SAR does not contain a discussion of the rationale for the choices between tests and engineering evaluations.
A realistic and dynamic environment will be approached by installing the SPDS in the VYNPS simulator prior to installation in the control room.
The SPDS will be exercised in accordance with a documented man-machine validation (MMV) plan using a series of transients and accidents to demonstrate the effectivs integration of the SPOS, the E0Ps, and the operating crew.
The MMV plan will address the following:
o Development of criteria for selection of scenarios with appropriate variation in complexity o
Selection, specification, and preparation of scenarios o
Identification of resources needed for MMV o
Development of MMV procedures o
Development of MMV data sheets o
MMV test conduct and organization o
Evaluation and documentation of results Execution of the MMV plan will validate that the SPOS:
o is understandable and usable o
integrates with the E0Ps and the control room o
has displays that are appropriately responsive to plant data under emergency conditions o
does not interfere with operating crew duties during normal and emergency conditions 3.2 Assessment The SAR text outlines an acceptable V&V plan, but it'is not comprehensive enough to evaluate the systematic and complete satisfaction of this requirement in regard to both software and hardware.
Therefore, it is not possible to perform a final technical evaluation of the proposed V&V effort.
I The SAR text should be expanded to include personnel qualifications and j
assignments, auditable descriptions of plans, illustrations, examples, i
rationales for choices, and decisions for tests and scenarios, criteria, procedures, and schedules.
This revised SAR text should be submitted to the i
NRC for review and evaluation to confirm that VYNPS will meet the requirements of Supplement 1 to NUREG-0737.
During the selection of scenarios for the Man-Machine Validation, VYNPS should consider that the SPOS is intended to be used "to assess the safety status uf each identified function for a wide range of events, which include symptoms of severe accidents." Thus, the MMV scenarios should not be constrained to design basis accident conditions.
4.
ASSESSMENT OF SPOS DESIGN Section 1.2 of the VYNPS SAR of July 30, 1986, states that "...the SPDS is being designed to fully meet the provisions of Supplement 1 to NUREG-0737."
The SAR, when supplemented by additional information to be developed during the SPDS project, should demonstrate that the SPOS will conform with the guidance of Standard Review Plan (SRP) Section 18.2.
The following provides a discussion of the plans described in the SAR for the-VYNPS SPDS and LLNL's assessment in-each area.
4.1.
"The SPOS Should Provide a Concise Display..."
4.1.1.
Discussion The planned SPOS displays are as follows:
, Ouantity Display Type e
Overview 1
E0P Control 3 to 5 Detail Parameter Graphs 5 to 7 i
E0P Limit Curves 10 Other 2 to 5 Total 21 to 28 Some of the relevant SPDS display attributes pianned are:
o The total number of displays will be limited.
o Displays will be arranged into a-simple and easy to use hierarchy, o
Displays will use a similar format structure with standardized data presentations, o
Optimum configurations of individual display characteristics will be selected (i.e., digital, bar graphs, plot graphs, state indicators, alpha-numerics, limit flags, and boxes),
o Dedicated operator. rapid access function keys will be provided using color coding and grouping.
o Certain information will be presented in the same location and i
format in all displays.
4.1.2.
Assessment l
It can be concluded from the text of the SAR that the general needs for i
the effective and concise SPOS displays have been recognized and planned for.
However, the details regarding implementation of the plans have not been developed.
Therefore, it is not possible to evaluate whether the SPOS displays will be acceptably concise or to conclude that this requirement of Supplement 1 to NUREG-0737 will be met.
The text of the SAR should be l
expanded to provide a complete and detailed description to demonstrate compliance with this requirement.
4.2.
"The SPOS Should... Display... Critical Plant Variables" 4.2.1.
Discussion The VYNPS selection of SPOS display parameters was based on plant specific E0Ps which were derived from BWROG EPGs.
The parameters selected to cover all of the NRC-identified functions for plant safety monitoring were based on the following criteria.
I L
=
o The parameter is necessary for the plant operator to determine the status of a primary control function, o
The parameter provides an indication when an E0P entry condition has been met.
o The parameter provides guidance for operator actions in the execution of E0Ps based on appropriate, multi-parameter limit Curves.
The VYNPS parameters are intended to correspond to the critical safety functions (CSFs) that must be monitored as shown in SAR Table 1 which is stated to show the correlation between NUREG-0737, Supplement 1 CSFs, generic EPGs, principal control functions, and VYNPS E0Ps.
SAR Table 5 lists SPOS parameters and sources.
The SAR Tables 1 and 5 mentioned above are reproduced
[
in the Appendix to this report.
l 4.2.2.
Assessment t
With some exceptions the parameters named for display in the VYNFS SPOS are capable of providing operators with sufficient information to adequately respond to this requirement of Supplement 1 to NUREG-0737.
The exceptions are:
o We were unable to determine if the reactor power variable inputs are intended to cover the range necessary to allow determination of the Reactivity Critical Safety Function status over the complete range of plant operating conditions to be monitored by the SPOS.
To be fully effective the Reactivity CSF inputs must be useful in determining CSF status for all conditions between full power and reactor shutdown.
o The use of hardwired containment isolation valve status displays is' acceptable only if:
- 1) An operator located at the SPOS display can effectively use the hardwired displays to raoidly and reliably determine if all containment isolation valves tnat must operate in response to a containment isolation activation signal have properly operated, 2) The hardwired displays are considered to be part of.the i
SPOS for the purposes of future modifications or regulatory actions.
VYNPS should address these exceptions in a supplement to the SAR and submit it for NRC review and evaluation.
4.3.
"The SPOS Should... Aid Them (Operators) in Rapidly and Reliably Determining the Safety Status of the Plant" 4.3.1.
Discussion Displays of SPOS parameters selected to support plant specific E0Ps derived from symptom-based EPGs were intended to assure the maintenance of a safe plant status.
SAR Section 2.0 implies that the SPOS will routinely scan the monitored parameters and alert the operator to conditions that require entry into an E0P.
Three to ten second response times to operator initiated display requests are described, but system display update times are not described. This is minimally acceptable in terms of the recomendations of NUREG-0700, Section 7.1.7.
1.
i
(
SPDS functions will receive computer execution priority and will be protected from unauthorized changes by formal design control, software and hardware configuration control, and document procedures, but specific details 1
and methodology are not discussed.
The suitability of display accuracy and the time and value resolutions of trend graphs are also not discussed.
SPOS signals are planned to undergo real-time pass / fail processing, range limit checking, interchannel comparison, and validation algorithm processing, if appropriate. What is appropriate is not defined.
Displays will include quality tags for operator informati a to indicate invalid, unvalidated, and validated data categories.
Procedures, methodology, and criteria to determine data quality are not discussed in the SAR.
Validated signals and parameters.
will be usec in preference to lower quality data for E0P entry conditions and important SPOS information.
Signal validation is intended to consider and process appropriate attributes and characteristics that present operators with displays that are l
valid and reliable.
If calculations use inputs with different quality levels, the lowest quality will be reflected in the quality tag assigned to the results.
A j
validation status table display will be available to show input identi-fication, input values, and assigned quality levels.
SPOS availability will be enhanced by features of self-checking, on-line error logging, diagnostic utilities, and state-of-the-art systems design.
The target availabilities are specified as follows:
o When operating above shutdown and refueling, it is expected to be l
0.98
)
o Ouring cold shutdown and refueling, it is expected to be 0.80.
System enhancements will be considered if actual availability is less than the above.
Availability will be confirmed by tests performed on the completed system.
The SPDS is stated to be part of a new integrated computer system to be installed at VYNPS, but there are no details given which support the acceptability of the interconnections, inter-relationships, and interdependent performance between the computer and the SPOS.
j 4.3.2.
Assessment The significant amount of SAR text devoted to features in support of this requirement is interpreted to indicate that Vermont Yankee Nuclear Power Corporation (VYNPC) recognizes its importance and plans to install a suitable SPOS.
However, the text is oriented more to what is planned rather than to details of how the stated and implied goals wITT ce achieved.
It is not possible to evaluate display acceptability because the plans do not comprehensively descrioe display details such as arrangements, grouping, visual characteristics, usability, and selection processes, to confirm that there is an acceptable match between the NRC parameter requirements and the proposed VYNPS parameters.
Furthermore, it is not possible to judge whether system sampling and update rates will assure that the SPDS displays are current and correct and whether there is any meaningful loss of information.
Significantly more written details and examples need to be provided in order to determine if this requirement has been met.
For example, a determination
~
of the acceptability of the three to ten second response time to operator initiated requests would be enhanced if justified in terms of the "max 4 mum" times tabulated in Exhibit 7.6 of NUREG-0700 (6).
4.4 "The Principal Purpose and Function of the SPOS is to Aid the Control Room Personnel During Abnormal and Emergency Conditions in Determining the Safety Status of the Plant and in Assessing whether Abnonnal Conditions Warrant Corrective Actions by Control Room Operators to Avoid a Degraded. Core" 4.4.1.
Discussion The SPOS will' display the following:
o Principal control function parameters which cover all of the NRC-identified functions of plant safety monitoring (SAR Table 2).
o Parameters that provide entry conditions for the E0Ps (SAR Table 3).
o E0P operating limit curves and associated parameters (SAR Table 4).
The SAR tables 2, 3, and 4 are reproduced in the Appendix to this report.
The SPOS will store historical data for the interval from two hours prior to an emergency event to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after an event.
A minimum of two weeks of data will be archived off-line.
Displays will be designed to aid operating personnel in the execution of one or more E0Ps.
Operators will be able to view current and recent history and to select detailed parameter trend graphs.
A plant overview display will present the current value of the principal control parameters and provide appropriate limit indicators for rapid and concise assessment.
4.4.2.
, Assessment It is clear that VYNPC intends to satisfy this requirement of Supplement 1 to NUREG-0737 However, the SAR text should comprehensively describe the rationale and methodology developed to systematically assure that the SPOS is complete, accurate, and rapid enough to identify, process, and cue operating personnel to abnormal and emergency conditions that warrant the initiation of corrective actions.
It is not now possible to conclude that this requirement is met.
4.5.
"(The) SPOS (Shall be) 1.ocated Convenient to the Control Room Operators" 4.5.1.
Discussion Displays and man-machine interface functions are to be appropriately located and accessible for monitoring plant safety status and for supervisory or overview functions during an emergency.
It is stated that:
o "The principle (sic) users of the SPOS will be shif t supervisors and the shift engineers."
o "The SPOS is primarily intended to be an aid to control room personnel in monitoring overall plant safety status and in entering and executing VYNPS E0Ps."
o "SPOS information wil1 be continuously displayed in at least one location in view of supervisory... personnel."
j I i
SAR Figure 1 illustrates the layout of the control room, but does not identify enough specific SPOS location details to confirm the above statements.
4.5.2.
Assessment VYNPC clearly intends to fulfill these requirements in the SPOS design.
In the absence of comprehensive specific SAR text and labeled illustrations, however, it is not now possible to confirm that the SPOS meets the following criteria:
o The SPOS must be easily recognizable and readable.
o The SPOS must be located so that it is observable by operators, o
The SPOS must not interfere with operator movement or visual access to other important displays.
4.6.
"The SPOS Shall Continuot:'
Display Information from which the Safety 1
Status of the Plant...can be As E:, sed..."
4.6.1.
Discussion SAR Section 3.2 (SPOS Use and Location) states that SPOS information will be continuously displayed.
Section 4.0 (SPOS Displays) describes the hierarchical nature of the SPOS displays as follows:
o An overview display will present the current value of the principal control parameters with appropriate limit indicators.
o Other displays will provide increasingly detailed 'information as
- needed, o
E0P control displays will provide information to aid operators in monitoring and controlling parameters as specified in the E0Ps.
o Each display will include certain generic information presented in the same location and format on all displays.
This generic display will include a status box for E0P entry indication, o
An SPOS menu display will show the hierarchy, identification, and call-up designation for all SPOS displays.
o Validation status displays will be available to permit users to identify the signals that contribute to an indication of low quality.
o Display call-up can be from menu selection or direct keyboard call-up via dedicated function keys which may be grouped and/or color coded.
Pageup/pagedown keys will be prcvided for multiple page displays.
4.6.2.
Assessment It appears that the displays and access provisions planned can satisfy the requirements of Supplement 1 to NUREG-0737.
However, concerns which should be addressed are:
o The SAR text does not specifically state that the system will positively prevent the selection of displays that will interrupt the display of information needed to assess the status of the five critical safety functions..
o Except for the mention of an E0P entry condition status box, it is not clearly described how operators will be made aware of important changes in safety parameters.
4.7 "The SPSS Shall be Suitably Isolated from Electrical or Electronic Interference with Equipment and Sensors that are in use for Safety Systems" 4.7.1.,0iscussion The VYNPS computer system and SPOS will be isolated from electrical and electronic interference in accordance with American National Standards Institute (ANSI)/ Institute of Electrical and Electronic Engineers (IEEE) standards and VYNPS ground rules.
However, IEEE 279 Section 4.7.2 is not mentioned ("no credible f ailure at the output... shall prevent the associated protection system channel from meeting minimum performance requirements").
SAR Section 3.11 includes the following statements:
"Computer hardware that interfaces with safety class electrical equipment will be powered by a power supply energized from the electrical power division concerned."
Computer system inputs from safety systems "will be optically isolated or transformer coupled and surge protected."
. Isolation devices will be environmentally and seismically qualified and tested for maximum credible faults."
4.7.2.
Assessment A comprehansive review of the provisions for isolating the SPOS.fran safety-related equipment was not within the scope of this evaluation.
Nevertheless, it is clear that the SAR does not provide enough information to allow NRC review of this issue.
Several concerns that should be addressed and described before isolation can be concludec to be acceptable are:
o Have the proposed isolating devices been accepted by the NRC?
o The "credible faults" to be tested for were not specifically described.
o The "credible f aults" testing procedures and methodology were not specifically described, o
The availability of appropriate auditable type-testing data was not described.
l 4.8.
"Procedures which Describe the Timely and Correct Safety Status Assessment when the SPOS is and is not Available will be Developed by the Licensee in Parallel with the SPOS.
Furthermore, Operators should be Trained to Respond to Accident Conditions Both with and without the SPOS Available" 4.8.1.
Discussion 1
The 'SPOS will be integrated into the VYNPS control room simulator facility to provide continuing operator training and to provide a capability to validate SPOS features before they are implemented in the control room.
This training is intended to provide assurance'that the SPOS will function as i
an effective aid to operating personnel during normal, abnormal, and emergency response conditions.
The training program is in two parts and some nf i-ts features are as follows:
o A users training course will train engineering and support staff as appropriate.
The phrase "as appropriate" is not defined, o
Control room ooerating personnel will be formally trained on the VYNPS simulator.
o Training topics for both users and operators will include:
1 system operation l
display descriptions I
expected use of displays j
functional descriptions of hardware, software, and system l
characteristics l
o Operator training will include additional appropriate topics.
o Operator training will be developed in accordance with Institute of Nuclear Power Operations (INPO) accreditation criteria and will address SPOS u3e during normal and abnormal conditions for situations when the SPOS is available and when it is not available.
o It will be emphasized that "the SPOS is intended to aid the control room operating personnel" and "does not replace other existing control room instrumentation."
4.8.2.
Assessment It appears that VYNPS will be able to demonstrate compliance with this requirement.
However, the SAR text should include comprehensive descriptions of the manpower requirements, attendance, and documentation of the content, l
extent, and schedules of the training programs including how they specifically l
relate to the critical safety functions, principal control functions, and l
E0Ps.
These items must be described before it can be concluded that this l
requirement is met.
l 4.9.
"The SPOS Display Shall be Designed to Incorporate Accepted Human Factors Principles so that the Displayed Information can be Readily Perceived and Comprehended by SPOS Users" 1
4.9.1.
Discussion A human factor engineering (HFE) plan will be prepared and applied as part of the SPOS project and the SPOS design will be evaluated against Section 18.2 of the SRP.
It is stated that:
o Human factors principles, criteria, and processes to be followed will be documented, o'
Users, functions, tasks, and related information needs will be identified, o
Plant computer /SPOS workstations will be integrated into the existing control room arrangement and instrumentation, o
Workstations will provide full visual access to existing panels and will not interfere with normal activities of the operating crew, o
The methodology for designing and evaluating the man-machine r
interfaces and displays will be specified and documented.
However, the SAR does not include supporting descriptions or examples and does not state when the documentation mentioned above will be completed and available for evaluation.
The HFE-plan and implementa' tion activities are to be prepared and i
coordinated by personnel qualified in human factors methodology, plant operations, and computer /SPOS technology.
The SAR does not state who.the personnel will be or how they are qualified.
Human factors personnel will review the displays and display development process at appropriate points in the process that are not defined in the SAR.
The detailed design display and multidiscipline review will be conducted in an iterative fashion.
The plan is to prepare a descriptive document to explain how the displays will function from a plant operator's perspective.
This document will provide a basis for display configuration management and preparation of software specifications and SPOS training materials.
The SPOS design will be evaluated against Section 18.2 of the SRP.
The-review will be documented and deficiencies identified for follow-up action.
Details of review methodology, processes, and personnel, are not given.
The use of NUREG-0700 [6] guidelines is not specifically mentioned in the SAR and is not listed in the references, but is implied in the use of other i
references.
4.9.2.
Assessment The SAR text is not comprehensive enough to provide a basis to determine whether this requirement will be met.
It does not directly and specifically i
address the pertinent subjects and factors in enough detail.
The texts of i
SAR 3.0 (SPOS Design Considerations) and SAR 4.0 (SPOS Displays) imply that HFE factors and guidelines may have been incorporated.
It is apparent that VYNPS recognizes HFE needs and requirements but the text should be expanded and submitted to the NRC for review and evaluation to confirm that this requirement is met.
4 l '
i i
b 5.
SUMMARY
The VYNPS SPOS SAR is actually a statement of what is planned to be done, and does not now contain enough information to support a final technical i
evaluation of tne SPOS against Supplement I to NUREG-0737 requirements.
The text of the SAR conveys the impression that the SPDS design needs, performance criteria, parameters, and requirements are recognized and understood.
It appears that VYNPS is planning to meet all the NRC SPOS requirements, document their work, and report it to the NRC as required.
The present status of the VYNPS SPOS project is such that comprehensive auditable documentation is not available to describe the multitude of factors, processes, methodology, and performances which must be reviewed to determine that all of the NRC requirements are met.
These documents should describe all aspects of the I
work, including methodologies and processes for:
o Determining needs and performance characteristics requirements of displays and controls o
Display selection o
Design parameter determination o
Design review o
V&V o
Application of human f actors guidelines.
Since the VYNPS SAR reviewed herein does not provide a detailed description and examples of all aspects of the SPDS process, an alternate and preferred determination of acceptability would be an on-site audit at a suitable time mutually acceptable to VYNPS and the NRC.
When the SPOS system design is sufficiently mature to allow comprehensive and detailed descriptions, it is reconmended that VYNPC be requested to submit
~
a revised SAR to the NRC for review.
The results of the review and evaluation will be the basis for deciding whether an audit is required.
l l
! 1
REFERENCES 1.
Vermont Yankee Nuclear Power Corporation, "Safety Analysis Report for the i
Vermont Yankee Safety Parameter Display System," July 30, 1985.
1 2.
Vermont Yankee Nuclear Power Corporation, "Functional Safety Parameter l
Display System Safety Analysis Report for Vermont Yankee Nuclear Power l
Co.rporation," January 1985.
3.
U. S. Nuclear Regulatory Commission, NUREG-0737, "Clarification of TMI Action Plan Requirements," November 1980, Supplement 1, December 1982.
4.
U. S. Nuclear Regulatory Commission, NUREG-0800, "Standard Review Plan for Review of Safety Analysis Reports for Nuclear Power Plants," Section 18.2, Human Factors Review Guidelines for the Safety Parameter Display System (SPOS), Rev. O, November 1984, and Appendix A to SRP Section 18.2.
5.
Verification and Validation for Safety Parameter Display Systems, NSAC/39, Science Applications, Inc., Decemoer 1981.
6.
U. S. Nuclear Regulatory Commission, NUREG-0700, "Guidelines for Control Room Design Reviews," September 1981.
- 7..
U. S. Nuclear Regulatory Connission, "Safety Evaluation Report of BWR Emergency Guidelines, Revision 3," November 23, 1983.
i 9 '
l 1
i APPENDIX i
I _.
m
SAR TABLE 1 Correlation Between NUREG-0737 Supplement 1 CSFs, Generic EPGs, EPG Principal Control Functions, and VYNPS E0Ps NUREG-0737, S1 Generic EPG Principal Control VY E0P
'CSF Rev. 3 Function (Ref. 7)
Reactivity Control Reactor Power Control Reactivity 4.1.f.(1)
Control Core Cooling RPV Control RPV Level Control RPV Level
& Heat Removal Control-4.1.. f. ( i i )
- Reactor RPV Pressure Control Containment System Integrity 4.1.f.(iii)
Primary Containment Pressure Control Drysell Pressure &
i Orywell Temperature Temperature Primary Control Control Containment Control Suppression Pool Temperature Control Torus Temperature
& Level Suppression Pool Water Control Level Control Containment Conditions Secondary Containment 4.1.f.(v)
Temperature Control Secondary Secondary Containnent Secondary Containment Containment Control Water Level Control Control Secondary Containment Radiation Control Radioactivity Radioactivity Radioactivity RPV Level Control Release Control Release Control Control 4.1.f.(iv)
- Note tnat NUREG-0737 Supplement 1, 4.1.f.(iii), oescrioes this CSF as "Reactor Coolant System Integrity."
4
_--~_-.
SAR TABLE 2 Principal Control Function Parameters Reactor power level RPV water. level RPV pressure Drywell pressure Torus water temperature Torus water level Reactor building temperature Reactor building water level Reactor building radiation level l
l l
l 1
?
t.
SAR TABLE 3 -
l VYNPS E0P Entry Condition Parameters OE 3101 - Reactivity Control Procedure i
Reactor power Scram command OE 3102 - RPV Level Control Procedure RPV water level OE 3103 - Orywell Pressure and Temperature Control Procedure Orywell RRU average temperature Drywell pressure OE 3104 - Torus Temperature and Level Control Procedure Torus water volume i
Torus water temperature OE 3105 - Secondary Containment Control Procedure t
Reactor building area temperature P
Reactor building vent exhaust radiation Reactor building area radiation Reactor building area water levels 1
Reactor building floor drain sump continuous operation 1
J l
e,
.-...--..,.,-,,.-._,.,..,_..-,,-..--....ne v--.nn,w.---g->
SAR TABLE 4 VYNPS E0P Limit Curves and Associated Parameters OE 3102 Maximum Acceptable Core Uncovery Time Time after reactor shutdown OE 3102 Primary Containment Pressure Limit OE 3103 Torus Pressure Torus Water Level OE 3103 RPV Saturation Curve Drywell temperature near cold reference legs RPV pressure OE 3103 Orywell Spray Initiation Pressure Limit OE 3104 Torus air space temperature Torus pressure OE 3103 Pressure Suppression Pressure Limit Torus pressure Torus water level OE 3104 Torus Water Level Limit Torus water level Drywell/ torus differential pressure OE 3104 Torus Heat Capacity Limit Torus water level Torus water temperature OE 3104 NPSH Limit Curve Torus air space pressure Torus water temperature OE 3104 Torus Load Limit i
Torus water level RPV pressure OE 3104 Torus Heat Capacity Temperature Limit Torus temperature RPV pressure l
SAR TABLE 5 SPOS Parameters and Sources Principal E0P Control E0P Limit i
Parameter Entry Curve 1.
Reactor power-------------------------------
x x
2.
RPV water level-----------------------------
x x
3.
RPV pressure--------------------------------
x x
4.
D ryw el l p r e s s ur e----------------------------
x x
x 5.
Torus water temperature---------------------
x x
x 6.
Torus water level--------(b)----------------
x x
x 7
S c r am c onn a n d - - - - -- -- - - -- - -- -- - -- - - - - - - - ---
x 8.
Drywell RRU average temperature----(a)------
x x
9.
Reactor building vent exhaust radiation-(c)-
x x
10.
Reactorbuildingarearadiation-----(c)-----
x x
11.
Reactor building area water levels-----(d)-
x x
12.
Reactor building floor drain sump continuous o p e r a t i o n - - - *- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
x 13.
Reactor building area temperatures---(e)----
x x
14 Time after reactor shutdown-----------------
x 15.
Drywell temperature near cold reference legs x
1 16.
Torus air temperature-----------------------
x 17.
Torus air pressure--------------------------
x
Primary containment isolation demand 20.
Plant stack radioactivity release
- 21. Main steam line radiation
- 22. Containment area radiation NOTE:
Items 1 through 17 above are from SAR Tables 2, 3, and 4.
Items 18 through 22 above are in addition to SAR Tables 2, 3, and 4 a.
Drywell RRU average temperature (from SAR Table 3) serves for Orywell temperature from SAR Taole 2.
b.
Torus water level (from SAR Table 2) serves for torus water volme from 5AR Taole 3.
c.
Reactor building vent exhaust radiation and area radiation (from SAR Taole 3) serves for ouilcing raoiation level from SAR Taole 2.
d.
Reactor building area water levels (from SAR Table 3) serves for reactor building water levels from SAR Taole 2.
e.
Reactor building area temperatures (from SAR Table 3) serves for reactor building temperature from SAR Taole 2.