ML20151Z498
| ML20151Z498 | |
| Person / Time | |
|---|---|
| Site: | Vermont Yankee File:NorthStar Vermont Yankee icon.png |
| Issue date: | 05/02/1988 |
| From: | Murphy W VERMONT YANKEE NUCLEAR POWER CORP. |
| To: | NRC OFFICE OF ADMINISTRATION & RESOURCES MANAGEMENT (ARM) |
| Shared Package | |
| ML20151Z501 | List: |
| References | |
| FVY-88-33, NUDOCS 8805050285 | |
| Download: ML20151Z498 (13) | |
Text
{{#Wiki_filter:A 9 VERMONT YANKEE NUCLEAR POWER CORPORATION F 88-33 RD 5, Box 169. Ferry Road, Brattleboro, VT 05301 ENGINEERING OFFICE y 1671 WORCESTER ROAD FRAMINGHAM, M ASS ACHUSETTS 01701 May 2, 1988 U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Attn: Document Control Desk References a) License No. DPR-28 (Docket No. 50-271) b) Letter, VYNPC to USNRC, FVY 86-67, SPDS Safety Analysis Report, dated 7/30/86 c) Letter, VYNPC to USNRC, FVY 87-120, Vermont Yankee Safety Parameter Display System, dated 12/21/87 d) Letter, USNRC to VYNPC, Request for Additional Information, Safety Parameter Display System (SPDS) (TAC No. 51295), dated 1/28/88 e) Letter, VYNPC to USNRC, FVY 87-106, Procedures Generation Package, Revision 1
Dear Sir:
Subject:
Vermont Yankee Safety Parameter Display System f By letter dated December 21, 1987 (Reference c)), Vermont Yankee responded to NRC questions concerning electrical isolators used in the Emergency Response Facility Information System (ERFIS) and presented a status of our ERFIS Project. i At the present time, all top level hardware and software designs have been completed. Additionally, several ERFIS-related installation tasks have begun, including the Computer Roor eg ension, Uninterruptible Power Supply (UPS), and Data Acquisition System I'#.$). On January 28, 1988, Vermont Yankee received your request for information concerning the Safety Parameter Display component of ERFIS (Reference d)). The enclosed material provides the information requested. I trust that this material is responsive to your needs. In the event you have any further questions, please do not hesitate to contact Robert Sojka, ERFIS Program Manager. Very truly yours, VERMONT YANKEE NUCLEAR POWER CORPORATION JJ ,f, d d*u--. Warren P Mur y j' Vice Pr sident abd /dm Manager of Operations cc: V.L. Rooney, USNRC f 7 Regional Administrator, Region I USNRC Resident Inspector, VYNPC kn 8805050285 890502 PDR ADOCK 05000271 1 F DCD
LIST OF ENCLOSURES ENCLOSURE 1 Response to NRC Questions ENCLOSURE 2 Human Factors Program Plan ENCLOSURE 3 Verification and Validation Plan FIGURE 1 Control Room Plan L
ENCLOSURE 1 Response to NRC Questions ISOLATION DEVICES Vermont Yankee previously responded in Reference c) to NRC requests one through six concerning isolation devices. One additional re 'est was forwarded by Reference d) concerning the power source for the isolators and is addressed below. QUESTION: Provide information to verify that the Class 1E isolator is powered from a Class 1E power source.
RESPONSE
The analog and digital isolators used in the Vermont Yankee SPDS do not require Class IE electrical power. The analog isolators are transformer coupled and draw electrical power from the non-1E portion of the circuit. The digital isolators achieve signal isolation optically. As such, isolation integrity is not compro-mised upon loss of electrical power. PARAMETER SELECTION QUESTION: Are reactor power variable inputs intended to allow determination of the Reactivity Critical Safety Function status for all plant conditions from reactor startup to full power, and to reactor shutdown?
RESPONSE
The reactor power variable inputs to SPDS cover the entire range between reactor shutdown and full power and include APRM and SRM value and status information. QUESTION: Provide a commitment (a) that an operator located at the SPDS station can effectively utilize the hardwired containment isola-tion displays to rapidly and reliably assess that all necessary containment isolation valves operate properly in response to an isolation signals and (b) that the relative position, orien-tation, and visual access of the hardwired containment isolation valve displays with regard to the SPDS station will be maintained or improved.
RESPONSE
Vermont Yankee will provide an SPDS terminal in the control room COMMITMENT: in a location where the control room operators can effectively utilize the SPDS in concert with the hardwired containment isola-tion displays to rapidly and reliably assess that all necessary containment isolation valves operate properly in response to isolation signals. The relative position, orientation and visual access of the hardwired displays with regard to the SPDS station will be maintained.
Page 2 RAPIO AND RELIABLE QUESTION: For operator initiated SPDS requests, identify the design goals for system display response times under worst-case load con-ditions.
RESPONSE
The design goal for system display response times to operator requests under worst case load conditions is two seconds. QUESTION: How will system sampling and update rates assures a) that the SPOS displays are current and accurate; and b) that there is no meaningful loss of information?
RESPONSE
Updating of SPOS sensor data points and calculations will be per-formed at a rate consistent with the parameter time constant. This is determined individually for each type of sensor by first evaluating the sensor response characteristics and then applying engineering judgement to compensate for system response charac-teristics. The average length of time for a signal step change at the source to propagate through the entire SPDS and update values on the CRT will be less than ten seconds. Data scanning and screen refresh rates will be established to support the ten second update criteria. This criteria will be applied and measured during the Factory Acceptance Testing. QUESTION: Describe detailed methodology on how SPDS functions (a) will receive computer execution priority; and b) will be protected from unauthorized changes by formal design contral, software and hardware configuration control, and documentation of procedures.
RESPONSE
System execution priorities will be assigned during Integration and Factory Acceptance Testing such that SPDS functions will meet the response time criteria provided by Reference b) during the worst case load conditions. The highest priority processes will be assigned to those supporting live data input, alarm processing and display functions. During SPDS development, a System Quality Assurance Plan (SQAP) provides quality assurance directives to 1) ensure compliance with the Vermont Yankee reqLirements specifications; 2) ensure compliance with standards and requirements of other organiza-tions, including El Systems and the Nuclear Regulatory Commission;
- 3) facilitate the process of delivering a quality product; and 4) establish formalized procedure requirements.
The SQAP follows the generic outline and intent of ANSI /IEEE Standard 730. Independent reviews are conducted during each software design, development, implementation, and testing phase. These reviews are conducted as a part of the vendor's
Page 3 "in-process" verification and validation. During development, all software documentation, including design and program review reports are controlled in accordance with the vendor's Software Standard Manual, which uses an automated source code management tool, CMS, for software configuration control. CMS stores source files in a library, keeps track of changes made to the files, and records user access to the files. Controlled program revisions follow standards specified in the SQAP. Hardware engineering design, development, implementation, and testing will be governed by the standards, practices, and procedures set forth in the ven-dor's approved Quality Assurance Manual, Project Requirements Document, Engineering Standards Manual, and Engineering Procedures Manual. Hardware configuration will be frozen at the start of integration testing (estimated mid-1988). From this point forward, it will be managed and controlled according to the revision of the con-figuration drawings. An independent verification and validation coremittee verifies that designs are in compliance with the rtquirements of the SPDS portion of the Vermont Yankee Requirements Document, provides input to the validation test plans and procedures, and verifies that the overall validation and procedures are executed properly. After the SPDS is installed and becomes operational at the Vermont Yankee site, the design configuration of the system will be controlled by a formal Vermont Yankee configuration control procedure. This procedure will assure that changes to SPDS hard-ware and software receive review and authorization prior to implementation and that system documentation is properly main-tained. The procedure (s) may be newly developed or may be incor-porated into existing configuration control procedures. The configuration control procedure (s) will also assure that SPDS remains integrated with other provisions of NUREG 0737, Supplement 1, such as, for example, maintaining consistency bet-ween the SPDS and Emergency Operating Procedures. QUESTION: Define what "if appropriate" means concerning SPDS signals undergoing real-time pass / fail processing, range limit checking, interchannel comparison, and validation algorithm processing.
RESPONSE
Signal validation processing includes pass / fail processing and range limit checking for all SPDS parameters as indicated in the SPDS Safety Analysis Report. For some, but not all SPDS parame-ters, there are sufficient redundant signals so that interchs.nel comparison can be performed by the computer by processin; the signals through validation algorithms. Validation algorithms will enable a higher level of quality tagging to be associated with parameters which have a sufficient redundancy of signals.
Page 4 QUESTION: Discuss the suitability of display accuracy and the time and value resolutions of trend graphs.
RESPONSE
The resolution of the color graphics terminals is 720 x 336. The time of SPDS trended values is 60, 30 or 10 minutes. All provide suitable display accuracy. The value scales on trend graphs are sized to allow up to four trends per page while displaying the full range of the parameter scale gradations. Spacing follows accepted human factors principles consistent with the intended use and limitations of the time trend features. Digital numeric value and color coded bars are an integral part of each trend graph. QUESTION: Discuss procedures, methodology, and criteria to determine inva-lid, unvalidated, and validated data categories.
RESPONSE
Data that are being scanned, pass hardware tests, are in-range, and pass interchannel validation tests (if specified) show the data value and are colored GREEN or RED according to their alarm state. Data that are not being scanned, fail hardware tests, are out-of-range, or fail the validation test are colored PURPLE. Data that are being scanned, pass hardware tests, are in-range, but that have failed a validation test show the data value and are colored PURPLE. Data that are being scanned, pass hardware tests, but are out-of-range have the range limit put into the data value and are colored PURPLE. Data that are being scanned but fail hardware tests are colored PURPLE and have "BAD" substi-tuted for the numerical value. Data that are not being scanned are colored PURPLE and show manually-entered data or "BAD", depending on whether or not a user has entered data. The level of validation of a piece of digitally-displayed analog data is indicated by a tag placed to the immediate left of the digital value. Data that have been subjected to validation by a cross-comparison have a WHITE "V" tag to the left of the numeri-cal value. Data that have been manually entered have a WHITE ("*") to the left of the numerical value, whether or not valida-tion is normally performed. Data that have not been subjected to validation by a cross-comparison and that have not been manually entered have a blank quality tag. QUESTION: Indicate details to support the acceptability of the interconnec-tions, interrelationships, and interdependent performance between the new integrated computer system and the SPDS,
RESPONSE
SPDS functions are included as an inherent portion of an integrated computer software structure that is field proven for SPDS applications. It is a version of the R* TIME software
k ) Page 5 package used by EI International for ERF and integrated systems i already delivered to the James A. Fitzpatrick Plant, Millstone Point Unit 2, South Texas Projects Units 1 und 2, Palo Verde Units 1, 2 and 3, and the Fort Calhoun Plant, The R* TIME design was originally developed for ERF systems, then expanded to include other plant computer functions. The time critical real-time functions are tuned and optimized in the ERF/SPDS environment. The highest priority processes within the system are those supporting live data input, alarm processing, and display functions. It is these functions used most by SPDS. On-Demand functions and other less time-critical functions are in separate modules, separately scheduled and managed, and use resources only when not being used by the higher priority modu-les. These lower priority functions do not lock up resources required by the higher priority functions. LOCATION CONVENIENT QUESTION: Label and describe the illustration of the control room con-figuration (e.g.. Figure 1 on page 26 of July 30, 1986 SAR) in order to substantinte that the SPDS, including containment isola-tion displays: 1, are easily recognizable and readable; b) are located such that they can been seen by operators and c) do not interfere with operator movement or visual access to other important displays.
RESPONSE
A new Figure 1 has been provided which reflects the improvements i resulting from a human factors review. CONTINUOUS DISPLAY l J j QUESTION: State how the SPDS system will prevent the selection of displays that will interrupt the continuous display of information on the five critical safety functions. i i
RESPONSE
A plant overview display will automatically appear on the control room SPDS station any time that an E0P entry condition is met. When the plant overview display appears automatically, it will require operator acknowledgement to release the terminal for other displays. 4 QUESTION: In addition to an EOP entry condition status box, how will opera-tors be made aware of important changes in status of safety pera-meters? l
RESPONSE
In addition to providing E0P N.ry Condition Status Blocks and automatic call-up of the SPDS overview display, principle control i parameter information is provided at the top of each high level l SPDS display page. The status blocks and control parameter l information will respond in red or green color to the alarm i 1 state. In this way, control room operators will be made aware of ( 4 important changes in status of the following parameters: j h .- ~
Page 6 Reactor Power Level Torus Water Level Reactor Water Level Torus Water Temperature Reactor Pressure Torus Pressure Drywell Pressure Area and Process Radiation Drywell Temperature Containment Isolation Status SAFETY STATUS WI1H AND WITHOUT SPDS QUESTION: Define "as appropriate" concerning the users training program.
RESPONSE
The discussion of User Training in Section 9.1 of the SAR referred to a general level of training that will be provided for eng*;neering and support staff who may find SPDS helpful in the performance of their assigned responsibilities. Clearly, all potential "users" of the SPDS will need to have some familiarity with the system. For example, personnel may need to view or interpret SPDS displays in emergency response facilities outside the control room and engineering and management personnel may need to be familiar with the system. This will be provided by an overview training course that will include topics of system operation, display descriptions and use, as well as functional descriptions of hardware, software and system characteristics. Control room operating personnel who will use SPDS in the course of performing control room operations will receive much more extensive SPDS training, as discussed in Section 9.2 of the SAR. QUESTION: Discuss how the implementation of procedures is integrated with the SPDS.
RESPONSE
VYNPS Emergency Operating Procedures (EOP's) have been imple-mented in accordance with the Procedures Generation Package sub-mitted previously to the NRC by Reference e). The E0P's provide control room operating personnel with procedures for assessing plant information to take corrective action and to respond to symptomatic indications that cover a wide range of transient and accident conditions. The VYNPS E0P's have been structured and control room personnel have been trained so that an SPDS is not required for entry to or execution of the E0P's. The SPDS has been designed to be used as an operator aid in sup- ] port of the E0P's. The E0P's and the SPDS are mutually colla-borative. The principle control parameters needed for assessing plant safety status are embodied in both. The E0P Entry Conditions and Limit Curves are duplicated and alarmed in the SPDS. Integration of the SPDS and the E0P's will be demonstrated i during the dynamic Man-Machine Validation discussed in Section 8.0 of the SAR and during the routine operator training programs which will follow.
Page 6 Reactor Power Level Torus Water Level Reactor Water Level Torus Water Temperature Reactor Pressure Torus Pressure Drywell Pressure Area and Process Radiation Drywell Temperature Containment Isolation Status SAFETY STATUS WITH AND WITHOUT SPOS QUESTION: Define "as appropriate" concerning the users training program.
RESPONSE
The discussion of User Training in Section 9.1 of the SAR referred to a general level of training that will be provided for engineering and support staff who may find SPDS helpful in the performance of their assigned responsibilities. Clearly, all potential "users" of the SPDS will need to have some familiarity with the system. For example, these personnel who may need to vieworinterpretSPOSdispga,,ysinemergencyresponsefacilities outside the,ontrol roomp :. = as engineering and management personnel need to be familiar with the system. This will be provided by an overview training course that will include topics of system operation, display descriptions and use, as well as functional descriptions of hardware, software and system charac-teristics. Control room operating personnel who will use SPDS in the course of performing control room operations will receive much more extensive SPDS training, as discussed in Section 9.2 of the SAR. QUESTION: Discuss how the implementation of procedures is integrated with the SPDS.
RESPONSE
VYNPS Emergency Operating Procedures (EOP's) have been imple-mented in accordance with the Procedures Generation Package sub-mitted previously to the NRC by Reference e). The E0P's provide control rnom operating personnel with procedures for assessing plant information to take corrective action and to respond to symptomatic indications that cover a wide range of transient and accident conditions. The VYNPS E0P's have been structared and control room personnel have been trained so that an SPDS is not required for entry te or execution of the E0P's. The SPDS is designed to be used as an operator aid in support of the E0P's. The E0P's and the SPDS are mutually collaborative. The principle control parameters needed for assessing plant safety status are embodied in both. The E0P Entry Conditions and Limit Curvet are cuplicated and alarmed in the SPDS. Integration of the SPCS and the E0P's will be demonstrated during the dynamic Man-Machine Validation discussed in Section 8.0 of the SAR and during the routine operator training programs which will follow.
l Page 7 !.i PROMPT IMPLEMENTATION [ QUESTION: Regarding the use of the control room, as a test bed for SPDS, address the following concerns: l a. misleading control room operators b. potential limitations in developing and testing the SPDS in the control room; c. placing the SPDS into a test mode from outside the control room; and d. method (s) to be used to notify control room operators l that tests are taking place. i L
RESPONSE
Vermont Yankee has had a full scope, plant specific training simulator at our Brattleboro Training Center since December 1985. We believe the simulator to be the proper place for man-machine l . validation and training for SPDS and committed to replicating SPDS on the training simulator in paragraph 8.2 of the SAR. Since the training simulator will be used to validate and train for SPDS there will be no need to use the station control room as a test bed for SPDS. By procedure, the Vermont Yankee computer system engineer is required to notify the control room operators and to request per-mission to take the plant computer out of service or to perform computer system tests prior to doing so. If in the event the SPD5 should fail or should lose communication with the output terminals, the terminals and digital displayu have been designed to go blank, alerting the operators that SPDS has become una-vailable. i HUMAN FACTORS PRINCIPLES QUESTION: Provide a copy of or describe the proposed Human Factors Engineering (HFE) plan. j
RESPONSE
A copy of the Vermont Yankee Human Factors Program Pit,n is pro-vided as Enclosure 2. [ QUESTION: When will documentation on the HFE elements be completed and f available for evaluation?
RESPONSE
Final documentation describing the HFE program findings will be available in a Human Factors Engineering Report, scheduled for I release approximately September 1988. [ QUESTION: Indicate the review methodology, processes, and personnel to be utilized in evaluating the SPDS design against Section 18.2 of the SRP. Specify the "appropriate points" when human factors l personnel will review the SPDS displays, controls, and display development process. j f l
Page 8
RESPONSE
The numan factors involvement in the SPDS has utilized a top-down approach. As such, the vendor's human factors personnel have participated in the design as it evolved rather than review and critique the completed design. The human factors personnel have benefitted from other SPDS projects and have developed guidelines and methodologies that have influenced the design of the Vermont Yankee ERFIS from the beginning of the project. The guideline review points and methodologies are presented in the enclosed Human Factors Program Plan, Enclosure 2. QUESTION: State whether NUREG 0700 guidelines will be used to evaluate the SPDS design and implementation.
RESPONSE
NUREG 0700 guidelines will be used to evaluate the SPDS design and implementation. QUESTION: Describe display details such as arrangements, grouping, visual characteristics, usability, and selection process. RESPDNSE: The organization of the Vermont Ycnkee SPDS displays follow the Vermont Yankee weergency operating procedure format. Thus snere is an overview display for each procedure and additional sup-porting displays, as appropriate. In addition, there is a single plant overview display, a display for system isolation, and a series of displays showing individual sensors that input to the principle control function parameters and other parameters. Data are shown on the displays in a variety of formats including digitally presented numeric values, time trend plots, bar charts, and X-Y plots. Alarm status is shown by the use of color and flashing in typical annunciator fashion. The presentation of data formats has been consistently applied from display to display both in terms of color and display format. The general format has been developed based on other proven SPDS designs that are in the field and have been accepted by operating personnel. The methods used to call-up or access the Vermont Yankee SPDS displays will include direct call-up using a dedicated function key, call-up from an SPDS menu, and call-up by screen touch field. High level SPDS displays, including the SPDS menu will have dedicated keys assigned to allow for direct call-up by the user. In addition, the SPDS displays will use touch fields to page from one display to another. These touch fields are con-sistently placed in an array across the bottom of all SPDS displays and allow direct access to any of the control function displays from any SPDS display.
1 Page 9 VERIFICATION ANQ VALICATION QUESTION: Expand the description of the verification and validation process to include a) auditable description of plans: b) illustrations and examples; c) criteria: d) procedures; and e) schedules. Discuss the rationale for the choice between test and engineering evaluations to be utilized in the validation process.
RESPONSE
A complete description of the SPOS verification and validation process has been attached as Enclosure 3, Verification and Validation Plan. QUESTION: Provide a commitment to select scenarios for the man-machine validation to assess the safety status for a wide range of events, including symptoms of severe accidents.
RESPONSE
Vermont Yankee will use scenarios in the man-machine validation ranging from simple events to complex combinations of events. The most complex scenarios will include multiple failures that will expose operators to severe accident scenarios. Selection of the complex accident scenarios will be made to ensure compliance with the requirements of ANSI /ANS 3.5-1985, Sections 4.3 and A.3.3, as endorsed by Regulatory Guide 1.149.
.N l FIGURE 1 i e' W ie ' l-,.*.ry*:t..: w,y f. e. t <.
- a. < s
...i, /=rI... 6 o P t. as pit.. 8 l 1 l c.3 .m. i n l l 3, v.p c,.,9 2.'..' ' a.. I L. N g
- i.. i i
.s & l l / ,?/. 1 l gs / 3.,% s u. ys w.. i b'i. ? / N I j' r,'3, l _ _[ w f , - 1. _ , s i r,) !i i . + 3, % s 'i,? i h.: i i I 'k'*h p '"I'---A gN hk{ ' e i bI - 2;- - .,,-l 1 --{i -3 ~ i G a m
- 1. I : s.
n 4* s.'o ,n ' * ~'. %)\\,,,r' i i -( l;I 8 f. 4 l%11l-li I / e c I-l 'C %. ? Ia } e, I.!
- j. t_ h,--** :
g-g i *, h! gkyY if/). 7 k,. l* Jl bA / r
- .. ;l
.x l ,ffh,.#,? t' 8. ( [ 3 N s f* Q '. - - {j^g3 N'# / ',# } h.,..f.. n l. t t' f e., sg-t, r p"4"ti1'p/.(e t
- - e
.; l ri' / T t[ l 1 s M 7 l' 1 I w, / () . I _1 fl \\ l s f P-~ s. / 7 I / I / s o s- .q. 1 u.t.s i g ,j h i t i ' ""' l (, u.. g., g t., I l E5 . cla [
- . I..
w vL.!.,, y , -}, ~c. ,. _ _ s,,, t s i r.;. - -+ =ie i g l .t, s +6 p -/, o .n A >, sl,:m 1 li
- f..
i !q.,1'$ f. H wll ll ~._...y,s'. = s.,',,' ..l $+ ,( I (F - h c.
- ,'s, s,,
\\ 'n%,4 r3.....-ll !s ~ 2.. s '4y -- &*- +, _ _ _ _ _.n s o ,i, < _ _ - t m. i c
- . -l.
r-----, m ------ i,i / s r I t .f
- .,o.
6 3 o.e(s. t !. hl!_ _, / \\ -y _k., C -it 1 - - -,h ' / I ',,:d.4! i.... _.i $p. __l,<. ,' __J ... L_ m
- q.
- ;w--
8., _.] / 3 s, c"r / j Hardwired Display ,5 CONTROL ROOM PLAN i I l j$$$ CONTi'OL ROOM FORNtTua AbernmG.AbcNash l g g o z m r-l m rn . VERMONT YANKEE g l Ae m I
- W m c3@'s.
. NUCLE AR POWEP. CORP'N. ................M 6 Oq g 6-
- VEFNON, VaPMoNT
-........,i...............,. i 1 _ _.}}