ML20151Y536
| ML20151Y536 | |
| Person / Time | |
|---|---|
| Site: | South Texas  |
| Issue date: | 01/30/1986 |
| From: | Kadambi N Office of Nuclear Reactor Regulation |
| To: | Goldberg J HOUSTON LIGHTING & POWER CO. |
| Shared Package | |
| ML20151Y542 | List: |
| References | |
| NUDOCS 8602120736 | |
| Download: ML20151Y536 (11) | |
Text
..-
o m 30 m Docket Nos.:
50-498 and 50-499 Mr. J.H. Goldberg Group Vice President-Nuclear Houston Lighting and Power Company P.O. Box 1700 Houston, TX 77001
Dear Mr. Goldberg:
SUBJECT:
AUDIT REPORT ON THE QDPS AT SOUTH TEXAS PROJECT, UNITS 1 and 2 The NRC staff audited the design process and the verification and validation J
plan for a part of the Qualified Display Processing System (QDPS) being built i
for you by Westinghouse Electric Corporation. The audits were performed i
between August 25 and 29, 1985 at the Westinghouse manufacturing facility.
{
The enclosure to this letter provides a report of the audits.
1 i
Based on our audit of the design process and the verification.and validation j
plan for the steam generator level compensation function within the QDPS, the j
staff concludes that it is generally acceptable for you to continue the design and manufacture of this system and to execute the verification and validation plan. However, this acceptance is conditional to having a validation plan
]
sufficiently broad in scope to address any discrepancies in the design process and account for the lack of independent, formal design verification. The staff's review of the validation plan will be conducted at a future audit.
In addition, we have identified issues on software maintenance and documentation l
l which should also be audited. We have tentatively scheduled the next audit i
between March 24 and 27, 1986 at the same location.
I Sincerely yours,
,p) j N. Prasad Kadambi, Project Manager PWR Project Directorate No 5 i
Division of PWR Licensing-A
Enclosure:
I
- 1. Audit Report, Houston Lighting i
& Power Company ' Qualified Display Processing System i
cc:
J. Joyce,NRC(RSIB/DSR0)
-L.Beltracchi,NRC(EICSB/PWR-B)
J. Mauck, NRC (EICSB/PWR-A)
F. Rosa,(EICSB/PWR-A)
- Distr-Aution:
Doctee ffTe e
.E. Jordan PD#5 4
j NRC"PDR~
B. Grimes PKadambi Local PDR J. Partlow
/ /3c/86 i
PD#5 Reading File P. Kadambi OELD M. Rushbrook ff[N
)[
G
o UNITED STATES 8
NUCLEAR REGULATORY COMMISSION n
3
.,E WASHINGTON, D. C. 20555 M #0 g Docket Nos.:
50-498 and 50-499 Mr. J.H. Goldberg Group Vice President-Nuclear Houston Lighting and Power Company P.O. Box 1700 u
Houston, TX 77001
Dear Mr. Goldberg:
SUBJECT:
AUDIT REPORT ON THE QDPS AT SOUTH TEXAS PROJECT, UNITS 1 and 2 The NRC staff audited the design process and the verification and validation plan for a part of the Qualified Display Processing System (QDPS) being built for you by Westinghouse Electric Corporation. The audits were performed between August 25 and 29, 1985 at the Westinghouse manufacturing facility.
The enclosure to this letter provides a report of the audits.
Based on our audit of the design process and the verification and validation plan for the steam generator level compensation function within the QDPS, the staff concludes that it is generally acceptable for you to continue the design and manufacture of this system and to execute the verification and validation plan. However, this acceptance is conditional to having a validation plan sufficiently broad in scope to address any discrepancies in the design process and account for the lack of independent, formal design verification. The staff's review of the validation plan will be conducted at a future audit.
In addition, we have identified issues on software maintenance and documentation which should also be audited. We have tentatively scheduled the next audit between March 24 and 27, 1986 at the same location.
Sincerely yours,
/
u N. Prasad Kadambi, Project Manager PWR Project Directorate No 5 Division of PWR Licensing-A
Enclosure:
- 1. Audit Report, Houston Lighting
& Power Company, Qualified Display Processing System cc:
J. Joyce, NPC (RSIB/DSRO)
L.Beltracchi,NRC(EICSB/PWR-B)
J.Mauck,NRC(EICSB/PWR-A)
F. Rosa,(EICSB/PWR-A) 4
4 Mr. J. H. Goldberg Houston Lighting and Power Company South Texas Project cc:
Brian Berwick, Esq.
Resident Inspector / South Texas Assistant Attorney General Project Environmental Protection Division c/o U.S. Nuclear Regulatory Comission
{
P. O. Box 12548 P. O. Box 910 Capitol Station Bay City, Texas 77414 Austin, Texas 78711 Mr. Jonathan Davis Mr. J. T. Westermeir Assistant City Attorney Manager, South Texas Project City of Austin Houston Lighting and Power Company P. O. Box 1088 P. O. Box 1700 Austin, Texas 78767 Houston, Texas 77001 Mr. H. L. Peterson Citizens Concerned About Nuclear Mr. G. Pokorny Power i
City of Austin 5106 Casa Oro P. O. Box 1088 San Antonio, Texas 78233 Austin, Texas 78767 Mr. Mark R. Wisenberg 4
Mr. J. B. Poston Manager, Nuclear Licensing Mr. A. Von Rosenberg Houston Lighting and Power Company City Public Service Boad P. O. Box 1700 4
P. O. Box 1771 Houston, Texas 77001 San Antonio, Texas 78296 Mr. Charles Halligan l
Jack R. Newman, Esq.
Mr. Burton L. Lex Newman & Holtzinger, P.C.
Bechtel Corporation 1615 L Street, NW P. O. Box 2166 Washington, D.C.
20036 Houston, Texas 77001 i
Melbert Schwartz, Jr., Esq.
Mr. E. R. Brooks Baker & Botts Mr. R. L. Range One Shell Plaza Central Power and Light Company Houston, Texas 77002 P. O. Box 2122 Corpus Christi, Texas 78403 Mrs. Peggy Buchorn Executive Director Citizens for Equitable Utilities, Inc.
Route 1 Box 1684 Brazoria, Texas 77422 1
i
3 Houston Lighting & Power Company South Texas Project cc:
i Regional Administrator, Region IV U.S. Nuclear Regulatory Commission Office of Executive Director for Operations 611 Ryan Plaza Drive, Suite 1000 Arlington, Texas 76011 Mr. Lanny Sinkin Christic Institute 1324 North Capitol Street Washington, D.C.
20002 4
()
Mr. S. Head, Representative Houston Lighting and Power Company Suite 1309 7910 Woodmont Avenue l
Bethesda, Maryland 20814 l
1 i
I f
i i
i
V t
t ENCLOSURE 1 AUDIT REPORT HOUSTON LIGHTING AND POWER COMPANY QUALIFIED DISPLAY PROCESSING SYSTEM I.
BACKGROUND The Houston Lighting and Power Company (HL&P) is developing a microcomputer based system to perform functions which will directly impact upon the safe operation of its South Texas Project (STP). The STP is a dual 1250 MW Westing-house Pressurized Water Reactor (PWR) Nuclear Generating Station which is currently scheduled for completion and licensing by October 1986.
The microcomputer based system is being designed and developed by Westinghouse and it is called the Qualified Display Processing System (QDPS). This system is described in the applicant's FSAR and it is being designed to perform the following functions:
o Data acquisition, processing, and qualified (class IE) display for Post Accident Monitoring, o
Data acquisition, display, and analog control for Safe Shutdown and to address separation / isolation concerns for a postulated Control Room / Relay Room fire, o
Data acquisition and digital processing of steam generator water level signals and primary coolant system hot leg temperature signals and transmission of these processed signals for use by the Reactor Trip System.
4 l'
4 i
' The applicant has conducted several meetings with the staff to discuss the design and development of the QDPS (Refs. 1-3).
During these meetings the staff was asked to also review and coment on the Design Verification and 1
i Validation (V&V), Reference 5, as part of the safety evaluation of the i
QDPS.
1 The staff's review of the QDPS began with an audit of the V8V plan and related activities. Reference 4 presents the staff's agenda. The audit was conducted at Westinghouse's Training Center, located in Monroeville, Pa., on August 26-29,
- j 1985, and was supported by a consultant from SoHar Incorporated. The consult-ants technical evaluation report (TER) is attached, i
)
II. AUDIT RESULTS The staff's audit focused on the steam generator water level compensation function since its design was completed. The audit activities consisted of an evaluation of the design process, the verification and validation plan, and -
products from the implemented verification and validation plan, i
j A.
Design Process Our review of design documentation on the steam generator water level compensa-tion function found the functional requirements adequate. We note that a man-I machine interface subsystem was part of the design. The purpose of this inter-1 j
face is to provide a means to periodically test the function and to diagnose faults in the system should they occur.
i i
I
+
(....
lj l'
l, :
I Our audit also evaluated the process used to decompose the functional require-l ments into computer code specifications and the generation of the code itself.
i l
The design and implementation were done in an iterative manner and it appeared l
that final specifications for the code were documented after the code was l
generated. We also determined that no formal task analysis was conducted in the design of the man-machine interface.
In addition, there was no evidence on the r
l l
use of a requirements matrix to structure the decomposition of the functional requirements.
(See Enclosure A). However, there was evidence that design re-l views were conducted during the process used to decompose functional require-ments. We conclude that the process used to decompose functional requirements i
i may not have defined all subfunctions and tasks.
B.
Verification And Validation Plan j
During our audit, we evaluated a revised verification and validation (V&V) plan 1
l (Ref.5). Earlier versions cf the plan were also available. We compared the i
l V8V plan with IEEE-AhS-7.4.3.2-1982, " Application Criteria for Programmable Digital Computer System of Nuclear Power Generating Stations" (Ref. 6). We noted that the independent design verification of initial design activities and products was not present in the revised V&V plan, but had been present in earlier i
i versions. The remainder of the plan appeared to conform to the standard (See
]
j Enclosure A for additional details). We conclude that with the exception of i
independent design verification activities, the V&V plan is acceptable.
1 J
l 1
e d
1 1
C.
Implementation of V&V Plan j
Westinghouse had already implemented part of the V&V plan and initial results were being provided for the independent verification tests on units of software at the time of our audit. We audited this process and found it to be highly I
automated and structured. We concluded that it should detect critical errors in the code and automation had reduced the potential for human error, i
Our audit did not find evidence to support a finding that an independent verifi-
\\
cation of the design had taken place.
Independent verification tests on units i
of software were the first elamants of the V&V plan implemented. Thus, we con-l j
clude that verification activities began very late in the life cycle of the QDPS. We further conclude that the independent verification tests on the units
)
i of software were acceptable to the staff.
I 1
1 D.
Reliability The question on the overall reliability of the QDPS is still an open issue.
I i
The staff requested HL&P to document that the QDPS reliability is equal to or greater than that of existing analog systems.
III. Future Audit Issues Based on the information acquired during the initial audit of the QDPS, we recomend three additional staff audits as follows:
4 l
A functional audit of the Plant Safety Monitoring System and of the l
Qualified Control (Class IE) within the QDPS; 1
An evaluation audit of the validation plan; An evaluation audit of the test process and test results.
We recommend these audits be conducted at Westinghouse's facilities because i*
design and test documentation will be required. Enclosure B is a list of l
documentation required for the second audit.
i 1
In addition, the following issues were not covered and will be carried as agenda items for future audits:
I i
software maintenance practices prior to and during operational use of the system; user and maintenance documentation; i
I verification of the program listing.
i IV. CONCLUSIONS AND RECOMMENDATIONS i
Based on our audit of the design process and the verification and validation l
l plan for the steam generator level compensation function within the QDPS, the l
l l
l
i
- i staff concludes that it is generally acceptable for the applicant to continue i
the design and manufacture of this system and to execute the verification and validation plan. However, this acceptance is conditional to having a valida-i
{
tion plan sufficiently broad in scope to address any discrepancies in the design process and account for the lack of independent, formal design verifica-(,
tion. This means that the validation plan should include a technique to demon-strate completeness between Functional Requirements and Software Design Speci-l fications that were turned over to the validation team. The staff's review of i
the validation plan will be conducted at a future audit.
In addition, we have identified issues on software maintenance and documentation which should also be audited. We reconrnend a minimum of three additional staff audits to complete the review of the QDPS.
I i
i 1
4 l
i
d REFERENCES 1.
Letter from M.R. Wisenburg, Houston Lighting and Power Company, to H.L.
Thompson, Jr., NRC,
Subject:
Action Items Resulting from December 12, 1984 Meeting on QDPS V&V Plan, dated March 28, 1985.
2.
Memorandum from N.P. Kadambi, NRC, to G.W. Knighton, NRC,
Subject:
Notice of Meeting to Discuss the Qualified Display Processing System -
South Texas Project, dated June 14, 1985.
3.
Memorandum from N.P. Kadambi, NRC, to G.W. Knighton, NRC,
Subject:
Notice of Meeting with Houston Lighting & Power Company's South Texas d
Project, dated August 6, 1985.
4.
Memorandum from N.P. Kadambi, NRC, to G.W. Knighton, NRC,
Subject:
Notice of Meeting with Houston Lighting and Power Company's South Texas Project to Audit the Verification and Validation of the QDPS, dated August 19, 1995.
5.
Letter from M.R. Wisenburg (HL&P) to G.W. Knighton, NRC, dated September 24, 1985,
Subject:
QDPS Verification and Validation Plan, with attachment, Design Specification Number 955842. Rev. 3.
l 6.
ANSI /IEEE - ANS 7.4.3.2.-1982, " Application Criteria for Programmable Digital Computer Systems In Safety Systems of Nuclear Power Generating Stations."
I a
l l
l i
i o